Learn › RHCSA (EX200) › Exam Orientation + Essential Tools
umask - a hands-on Linux lab on a real virtual machine.
Set the default permissions for new files and directories with umask (EX200 task 52). Files start at 666, directories at 777, and the umask is subtracted: 022 yields rw-r--r-- files and rwxr-xr-x directories, 027 yields rw-r----- and rwxr-x---. Make it permanent in ~/.bashrc or /etc/profile.d. On RHEL 10, default permissions means umask; ACLs were dropped.
In the last lesson you set permissions on files that already existed, one at a time, with chmod. Now flip the question around. When you run touch report.txt and the file appears with rw-r--r--, who decided that? You did not type any permission. Something chose it for you.
That something is the umask, and on RHEL 10 it is the entire story of default permissions. Red Hat dropped ACLs from the RHCSA objectives, so when the exam says set the default permissions for new files, it means exactly one thing: set the umask. This lesson is EX200 task 52, and it is pure arithmetic you can do in your head once you see the trick.
The black boxes below are a practice terminal: a safe sandbox that checks the one command each step teaches, so you cannot break anything. The permission strings you see (like rw-r--r--) are the real, stable output. The owner name, group, size, and date in each ls -l line belong to the capture machine and to one moment. Yours will read differently. The permission bits are the lesson.
umask stands for user file-creation mask. A mask is a filter: it does not grant permission, it takes permission away. Every time you create a file or a directory, the system starts from a fixed set of open permissions and then the umask strips bits back off before the thing lands on disk.
Two numbers you must memorise, because they never change:
666, which is rw-rw-rw-. Read and write for everyone, no execute.777, which is rwxrwxrwx. Full access for everyone.Why do files start at 666 and not 777? Safety. If every new file were executable, any text file you saved could be run as a program by accident. Directories DO need execute (that bit is what lets you enter a directory and reach what is inside), so they start at 777. You add execute to a file by hand with chmod +x only when you actually mean to.
The rule is: take the umask away from the starting number. The classic default umask is 022. Work it through:
Files: 666 - 022 = 644 -> rw-r--r--
Directories: 777 - 022 = 755 -> rwxr-xr-x
So the default 022 is exactly why your files come out rw-r--r-- and your directories come out rwxr-xr-x. You have been living with this number all along. Before you change it, read what it is right now. umask with no argument just prints the current value.
umask
prompt: student@servera:~$ answer: umask output: 0022 hint: The command is its own name, typed alone with nothing after it. Four letters, then Enter.
0022, four digits. The last three, 022, are the mask that matters. The leading 0 is a slot for special permission bits (setuid, setgid, sticky) that you will not touch here; on the exam it stays 0. So the machine is running the standard default, and that is precisely why new files arrive as 644 and new directories as 755. Read 0022 as: strip nothing from the owner, strip write from the group, strip write from everyone else.
Numbers on a page are one thing. Seeing them land on a real file is another. Set the umask explicitly to 022 (the value it almost certainly already holds) and then create a file and a directory so you can read the result with ls -l. Setting the mask you already have proves the mechanism without changing anything.
umask 022 sets it. Then touch u022.txt makes a file and ls -l shows its permissions.
prompt: student@servera:~$ answer: umask 022 output: hint: The command is umask followed by a space and the three-digit value you want to apply.
prompt: student@servera:~$ answer: touch u022.txt && ls -l u022.txt output: -rw-r--r--. 1 student student 0 Jul 5 18:36 u022.txt hint: Create the file with touch, then chain a second command with && and list just that one file with ls -l.
The owner (student), the group, the size (0), and the date belong to the capture machine and that moment; yours will differ, and the trailing dot after the permissions is SELinux telling you a context is attached. The part that is fixed everywhere is -rw-r--r--: the 644 you predicted from 666 - 022. That permission string is what the exam grades.
prompt: student@servera:~$ answer: mkdir d022 && ls -ld d022 output: drwxr-xr-x. 2 student student 6 Jul 5 18:36 d022 hint: mkdir makes the directory. To list the directory itself rather than its contents, ls needs the -d flag: ls -ld.
drwxr-xr-x, which is 755, exactly 777 - 022. The leading d marks it as a directory. Notice the directory kept its execute bits (the x in each group) while the file has none: same umask, different starting number, so different results. That split between 644 for files and 755 for directories from one umask is the single fact people trip over, so lock it in now. Use ls -ld (not plain ls) whenever you want the directory's own permissions instead of a listing of what is inside it.
The default 022 lets everyone on the system read your new files. On a shared server that is often too generous. The umask most hardened setups reach for is 027: keep full access for the owner, give the group read-only, and shut out everyone else completely. Work the math first, out loud in your head, before you run it:
Files: 666 - 027 = 640 -> rw-r-----
Directories: 777 - 027 = 750 -> rwxr-x---
Set 027, then create a fresh file and directory and check both. You are predicting rw-r----- for the file and rwxr-x--- for the directory.
prompt: student@servera:~$ answer: umask 027 output: hint: Same umask command as before, just a different three-digit value: the one that blocks other entirely.
prompt: student@servera:~$ answer: touch u027.txt && ls -l u027.txt output: -rw-r-----. 1 student student 0 Jul 5 18:36 u027.txt hint: Create the file with touch, chain with &&, then ls -l the one file. The permissions should show group read but no permission at all for other.
prompt: student@servera:~$ answer: mkdir d027 && ls -ld d027 output: drwxr-x---. 2 student student 6 Jul 5 18:36 d027 hint: mkdir then ls -ld on the new directory. The last three permission characters (the other field) should be all dashes.
The file is rw-r----- (640) and the directory is rwxr-x--- (750), just as the subtraction promised. Read the other field on both: ---, nothing. That is the whole point of 027 over 022. The 7 in the mask stripped every bit (read, write, execute) from other, so people outside the owner and group cannot even see in. Same file-versus-directory split as before: the file lost its execute anyway (it never had any to begin with, base 666), the directory kept the execute the group needs to enter it.
Everything so far vanished the moment the session ended. umask 027 typed at the prompt lasts only for that shell. The exam will often say the change must be permanent or survive a reboot, and that is a different job: you write the umask into a startup file that the shell reads every time it opens.
Two places, and knowing which to pick is the exam skill:
~/.bashrc. Run echo "umask 027" >> ~/.bashrc. From the next login on, only that user gets 027./etc/profile.d/. Run echo "umask 027" | sudo tee /etc/profile.d/custom-umask.sh. Every login shell on the system sources files in that directory, so the mask applies to everyone.On the exam, read the wording. If the task names one user or says for the user, use that user's ~/.bashrc. Only reach for /etc/profile.d/ when it says system-wide or for all users. Picking the wrong scope is a common way to lose the point even when your umask value is correct.
A umask digit is octal, so each of the three digits must be 0 through 7. Type an 8 or a 9 and the shell answers umask: 999: octal number out of range and refuses. If you see that error, you used a digit above 7.
Scaffolding off. No command is printed this time. You have every piece.
A task hands you this: new files this user creates should be readable and writable by the owner, readable by the group, and closed to everyone else. That is rw-r-----, which is 640. Work the mask from the file base: 666 - 640 = 026... but stop. The clean, exam-standard mask that gives files 640 (and gives directories the matching 750) is the one you drilled two steps ago. Set that mask for this session now.
prompt: student@servera:~$ answer: umask 027 output: hint: You want files at rw-r----- and directories at rwxr-x---. That is the tighter of the two masks you practiced, the one whose last digit is 7 to shut out other. Type umask then that value.
umask 027. Here is the subtlety worth carrying into the exam: 666 - 640 gives 026, and 026 would also make files 640, but it would leave directories at 751 (rwxr-x--x), giving other a stray execute bit. 027 gives the clean pair: files 640, directories 750, nothing for other anywhere. When a task fixes the FILE permission, prefer the mask whose last digit is 7 over one ending in 6, because it also does the sensible thing to directories. You recalled the mask from the target permission alone, which is exactly the move task 52 asks for.
You earned this cheat sheet. Every row is something you ran or reasoned through:
And the arithmetic that never changes: files start at 666, directories start at 777, and the umask is subtracted from the start.
On RHEL 10 this is the whole toolbox for default permissions. Earlier RHCSA versions also taught default ACLs for finer-grained defaults, but Red Hat removed ACLs from the RHCSA 10 objectives. If a task asks for default permissions, it means umask. Nothing more exotic is expected of you.
The practice terminal has shown you the whole mechanism: the 666 and 777 starting points, the subtraction that turns a mask into a permission, the file-versus-directory split, and the two files that make a umask permanent. Every command you typed yourself.
The Essential Tools module ends on one real RHEL 10 machine, the essential-tools capstone mission, and that is where you set a umask for real. A live server boots for you, and the mission hands you objectives drawn from this whole module: redirection, grep, ssh, archives, links, permissions, and this lesson's default permissions. One difference from here: the mission shows no commands. You read the objective, recall the umask, and type it. That recall is what makes it hold on exam day.
Finish the other Essential Tools lessons, then go set a default permission on a real machine.
Practice umask and Default Permissions in a real Linux terminal at The Linux Camp. Progress is verified automatically as you type commands on the machine.