Linux umask Configuration: Secure Default File Permissions Guide

Configuring Secure Default File Permissions with umask on Linux

Strengthen your Linux system security by configuring proper default file permissions

Default file permissions in Linux can expose sensitive data to other users on the system. The umask (user file creation mode mask) controls the default permissions assigned to newly created files and directories, making it a crucial security setting for protecting user privacy.

This guide demonstrates how to configure umask settings on Ubuntu and RHEL/AlmaLinux systems to create more secure default permissions.

Prerequisites

Basic understanding of Linux file permissions
Access to modify system configuration files
Knowledge of octal permission notation

How umask Works

Permission Calculation

Files default: 666 (read/write for all)
Directories default: 777 (read/write/execute for all)
umask removes (masks out) the specified permissions from defaults

Common umask Values

022: Removes write for group/others (files: 644, dirs: 755)
027: Removes write for group/others, all access for others (files: 640, dirs: 750)
077: Removes all access for group/others (files: 600, dirs: 700)

Current System Defaults

Ubuntu

umask: 022
Home directories: 750 (group can read/execute)

RHEL/AlmaLinux

umask: 022
Home directories: 700 (owner only)

Try it yourself:

Check Current Settings

# View current umask
umask  

# View in symbolic format
umask -S  (u=rwx,g=,o=)

Temporary Changes

# Set restrictive umask for current session
umask 077

# Test file creation
touch testfile
ls -l testfile
# Output: -rw------- (600 permissions - umask removes group/other access)

# Test directory creation
mkdir testdir
ls -ld testdir
# Output: drwx------ (700 permissions - umask removes group/other access)

Permanent System-wide Configuration

Edit /etc/login.defs:

sudo vim /etc/login.defs

For Maximum Privacy

# Set restrictive umask
UMASK 077

# Lock down home directories
HOME_MODE 0700

For Balanced Security

# Group access allowed, others blocked
UMASK 027
HOME_MODE 0750

Per-User Configuration

Add to ~/.bashrc or ~/.profile:

# Personal restrictive umask
umask 077

Distribution-Specific Hardening

Ubuntu Configuration

System-wide hardening:

# Edit login defaults
sudo vim /etc/login.defs

# Set restrictive defaults
UMASK 077
HOME_MODE 0700

# Also configure in profile
echo "umask 077" | sudo tee -a /etc/profile

RHEL/AlmaLinux Configuration

AlmaLinux already uses 700 for home directories:

# Edit login defaults
sudo vim /etc/login.defs

# Enhance umask security
UMASK 077

# Configure shell defaults
echo "umask 077" | sudo tee -a /etc/bashrc

Verification and Testing

Test New umask

# Set test umask
umask 077

# Create test files
mkdir testdir
touch testdir/testfile

# Check permissions
ls -ld testdir
ls -l testdir/testfile

Verify User Home Security

# Check home directory permissions
ls -ld /home/username

# Should show 700 for maximum privacy
# drwx------ for owner-only access

Conclusion

For maximum privacy, use umask 077 to ensure all new files and directories are accessible only by their owner. This affects all future file creation, while HOME_MODE only sets initial home directory permissions during user creation—it doesn’t affect subsequent files or directories the user creates.

Administrators should choose umask settings based on their specific environment and security requirements—balancing privacy needs with operational requirements.

Remember: umask affects new files only—existing files retain their current permissions and may need manual adjustment.