If you've ever run chmod to fix a file's permissions, created a new file five minutes later, and found it back at the "wrong" mode — you've met umask. They look related, but they do different jobs, and confusing them causes a surprising amount of "why is this 644 again?" frustration.
Here's the short version.
chmod changes permissions on files that already exist
chmod is reactive. It takes a file (or directory) that exists right now and sets its mode.
chmod 640 secret.conf # rw-r----- on this one file
chmod u+x deploy.sh # add execute for the owner
That's it. It does nothing for the next file you create.
umask sets the default for files you haven't created yet
umask is proactive. It's a mask that gets subtracted (bitwise) from the base permissions the OS hands out when something new is created:
- New files start from
666(rw-rw-rw-) - New directories start from
777(rwxrwxrwx)
The kernel then strips whatever bits your umask names.
umask # show current mask, often 0022
umask 027 # set a stricter mask for this shell
The relationship in one line
final permission = base (666 file / 777 dir) AND (NOT umask)
So with the common umask 022:
| Created | Base | umask | Result |
|---|---|---|---|
| File | 666 | 022 |
644 (rw-r--r--) |
| Directory | 777 | 022 |
755 (rwxr-xr-x) |
This is why a fresh file is 644 even though you never ran chmod — the umask did it for you.
Common umask values worth memorizing
| umask | New files | New dirs | Use case |
|---|---|---|---|
022 |
644 | 755 | Default on most distros; world-readable |
027 |
640 | 750 | Group-friendly, hidden from "others" |
077 |
600 | 700 | Private — only the owner can touch it |
A quick gut check: umask 077 is the one you want for SSH keys, secrets, and anything in a shared box.
When to reach for which
- Need to fix this file, now? →
chmod - Tired of fixing the same default over and over? → set
umask(in your~/.bashrc, a systemd unit'sUMask=, or/etc/login.defsfor system-wide)
A trap worth knowing: umask only ever removes bits. It can't grant execute on a file the way chmod +x does — the base mode for files is 666, which has no execute bits to begin with. That's why new scripts always need an explicit chmod +x.
Try it without doing octal math in your head
If you'd rather not compute 666 AND NOT 022 by hand, I keep two small client-side tools bookmarked (everything runs in the browser, nothing is uploaded):
- An interactive umask calculator — type a mask, see the resulting file/dir modes instantly.
- A longer write-up: umask vs chmod, explained with a full cheat sheet and FAQ.
TL;DR: chmod edits one existing file. umask is the default filter applied to everything you create next. Fix the present with chmod; fix the future with umask.
What umask do you run on your servers? I'm curious how many people switched to 027/077 after a close call.
Top comments (0)