ToolsOpsPermissions
Umask calculator — default Linux permissions
Type a umask value (022, 077, 0022…) and the calculator applies 666 & ~umask for files and 777 & ~umask for directories. It shows octal and symbolic results, tells file and directory defaults apart and returns a qualitative recommendation based on the chosen preset. Runs entirely in your browser.
Umask
Accepts 3 digits (022, 077) or 4 with a leading zero (0022). Octal digits only: 0-7.
Normalized umask: 022
Effective permissions for new files
- Octal
- 644
- Symbolic
- rw-r--r--
Effective permissions for new directories
- Octal
- 755
- Symbolic
- rwxr-xr-x
Bit table
| Audience | Default | Blocked by umask | Result |
|---|---|---|---|
| Owner | file: rw- dir: rwx | --- | file: rw- dir: rwx |
| Group | file: rw- dir: rwx | -w- | file: r-- dir: r-x |
| Others | file: rw- dir: rwx | -w- | file: r-- dir: r-x |
Recommendation: Sensible default
Files 644 and directories 755. The default on most Linux distros for regular users: owner is in control, group and others can read (and traverse directories). Good starting point.
How umask works
umask is a bit mask applied to the default permissions whenever a new file or directory is created. The central rule is: a bit set to 1 in the umask BLOCKS that permission in the result. It never adds permissions, only removes them.
The calculator applies the same formula the kernel uses: 666 & ~umask for files, 777 & ~umask for directories. The difference between the two base modes (666 vs 777) is why with the same umask 022 you get 644 on files but 755 on directories.
| Umask | File | Directory | Typical case |
|---|---|---|---|
000 | 666 (rw-rw-rw-) | 777 (rwxrwxrwx) | No masking — only full isolation |
002 | 664 (rw-rw-r--) | 775 (rwxrwxr-x) | Group collaboration |
022 | 644 (rw-r--r--) | 755 (rwxr-xr-x) | Sensible default |
027 | 640 (rw-r-----) | 750 (rwxr-x---) | Servers with multiple users |
077 | 600 (rw-------) | 700 (rwx------) | User-private, ~/.ssh |
777 | 000 (---------) | 000 (---------) | Blocks everything — teaching aid |
666 & ~umask (files)
Regular files start from a default of 666 (rw-rw-rw-). The execute bit is NOT added automatically for files (it is for directories). The kernel applies AND with the inverse of the umask:
- 022 → 666 & ~022 = 666 & 755 = 644 (rw-r--r--).
- 027 → 666 & 750 = 640 (rw-r-----).
- 077 → 666 & 700 = 600 (rw-------).
- 002 → 666 & 775 = 664 (rw-rw-r--).
777 & ~umask (directories)
Directories start from 777 because without the execute bit you cannot enter them. For umask 022:
- 022 → 777 & ~022 = 777 & 755 = 755 (rwxr-xr-x).
- 027 → 777 & 750 = 750 (rwxr-x---).
- 077 → 777 & 700 = 700 (rwx------).
- 002 → 777 & 775 = 775 (rwxrwxr-x).
chmod vs umask
The most common confusion. A mental rule that works:
- chmod changes permissions on files and directories that ALREADY exist. Retroactive.
- umask defines permissions for FUTURE files and directories, only inside the process that inherits it.
- umask never adds permissions: with umask 000, new files end up 666 (the default), not 777.
- For long-term policy, combine both: umask sets defaults, chmod fixes specific exceptions.
Risks by umask value
Each extreme has its own problems:
- umask 000: no masking — new files come out world-writable. Almost never right in production.
- umask 777: blocks everything. New files and directories come out 000, not even the owner can use them. Useful as a teaching aid, not as real config.
- umask 002 on untrusted groups: any group member can write. Only safe when the group is strictly controlled.
- umask too high (077) for processes that expect shared data: breaks collaboration. You have to know the service's data flow.
Frequently asked questions
- What is umask?
- umask (user file-creation mode mask) is a bit mask the kernel applies when creating each new file or directory. When a bit is set to 1 in the umask, that bit is BLOCKED in the result: it never adds permissions, only removes them. Each process inherits the umask from its shell, and the shell from its session; running `umask 022` only affects files created from that point on.
- Why does umask 022 create files 644 and directories 755?
- Files start from a default of 666 (rw-rw-rw-) and directories from 777 (rwxrwxrwx). The kernel applies `default AND NOT umask`. For 022: 666 & ~022 = 666 & 755 = 644 (rw-r--r--); 777 & ~022 = 777 & 755 = 755 (rwxr-xr-x). The default for regular files does NOT include the execute bit, so even if the umask allowed it, files never get x automatically.
- Which umask is safe for servers?
- 022 is the sensible default on most distros and is usually fine. For hosts with multiple users or services whose data should not leak across accounts, 027 is stricter (others have no access). For processes whose files should be invisible even to group members, 077. The important thing is to pick a value and apply it consistently (PAM, /etc/profile, systemd unit with `UMask=`).
- What is the difference between chmod and umask?
- chmod changes permissions on a file or directory that ALREADY exists. umask defines the permissions FUTURE files and directories will have when they get created, within the process that inherits the umask. Two different operations: to change what is there, chmod; to set defaults, umask. This calculator only handles umask; there is a sibling tool for chmod.
- Does umask change existing files?
- No. umask ONLY affects files and directories created from the moment it is applied, and only within the process that inherits it. If you need to change permissions retroactively, use chmod (or `find ... -exec chmod ...`).
- What does umask 077 mean?
- It is the most restrictive common umask. It blocks all group and other bits: new files come out 600 (rw-------) and directories 700 (rwx------). Only the owner reads, writes and enters. Use it for personal profiles, ~/.ssh, private repos and accounts that should not share data.