Special permissions are a fourth permission type in addition to the user, group, and other types. As the name implies, special permissions provide additional access-related features beyond what the basic permission types allow. This section describes the impact of special permissions, which are summarized in the following table.

The setuid permission on an executable file means that commands run as the user that owns that file, rather than as the user that ran the command. One example is the passwd command:

[user@host ~]$ ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 35504 Jul 16 2010 /usr/bin/passwd

The setgid special permission on a directory means that created files in the directory inherit their group ownership from the directory, rather than inheriting group ownership from the creating user. This feature is commonly used on group collaborative directories to automatically change a file from the default private group to the shared group, or if a specific group should always own files in a directory. An example of this behavior is the /run/log/journal directory:

[user@host ~]$ ls -ld /run/log/journal
drwxr-sr-x. 3 root systemd-journal 60 May 18 09:15 /run/log/journal

If setgid is set on an executable file, then commands run as the group that owns that file, rather than as the user that ran the command. This condition is similar to the way that setuid works. One example is the locate command:

[user@host ~]$ ls -ld /usr/bin/locate
-rwx - s - x. 1 root slocate 47128 Aug 12 17:17 /usr/bin/locate

In a long listing, you can identify the setgid permissions by a lowercase s character in the place where you would normally expect the x character (group execute permissions). If the group does not have execute permissions, then this character is replaced by an uppercase S character.

Finally, the sticky bit for a directory sets a special restriction on deletion of files. Only the owner of the file (and the root user) can delete files within the directory. An example is the /tmp directory:

[user@host ~]$ ls -ld /tmp
drwxrwxrwt. 39 root root 4096 Feb 8 20:52 /tmp

In a long listing, you can identify the sticky permissions by a lowercase t character in the place where you would normally expect the x character (other execute permissions). If other does not have execute permissions, then this character is replaced by an uppercase T character.

Default File Permissions — UMASK:

Default file permission: 666

Default dir permission: 777

• The umask is an octal bitmask that clears the permissions of new files and directories that a process creates.

for example:

If umask is set to 0002, it will only clears the write bit for other users.

if umask is set to 0077, it will only clears all the group and other permissions of newly created files.

On creation, a file is assigned initial permissions. Two factors affect these initial permissions. The first is whether you are creating a regular file or a directory. The second is the current umask, which stands for user file-creation mask.

If you create a directory, then its initial octal permissions are 0777 (drwxrwxrwx). If you create a regular file, then its initial octal permissions are 0666 (-rw-rw-rw-). You must always explicitly add execute permission to a regular file. This step makes it harder for an attacker to compromise a system, create a malicious file, and run it.

Additionally, the shell session sets a umask to further restrict the initial permissions of a file. The umask is an octal bitmask that clears the permissions of new files and directories that a process creates. If a bit is set in the umask, then the corresponding permission is cleared on new files. For example, the umask 0002 clears the write bit for other users. The leading zeros indicate that the special, user, and group permissions are not cleared. A umask of 0077 clears all the group and other permissions of newly created files.

[user@host ~]$ umask
0022

If you create a regular file, then its initial octal permissions are 0666 (000 110 110 110, in binary representation). Then, the 0022 umask (000 000 010 010) disables the write permission bit for group and others. Thus, the owner has both read and write permission on files, and both group and other are set to read (000 110 100 100).

[user@host ~]$ umask
0022
[user@host ~]$ touch default.txt
[user@host ~]$ ls -l default.txt
-rw-r--r--. 1 user user 0 May 9 01:54 default.txt

The root user can change the default umask for interactive non-login shells by adding a local-umask.sh shell startup script in the /etc/profile.d/ directory. The following example shows a local-umask.sh file:

[root@host ~]# cat /etc/profile.d/local-umask.sh
# Overrides default umask configuration asda sda
if [$UID -gt 199] && ["`id -gn`" = "`id -un`"]; then
    umask 007
else
    umask 022
fi

The preceding example sets the umask to 0007 for users with a UID greater than 199 and with a username and primary group name that match, and to 0022 for everyone else. (Leading zeros can be omitted.) To set the umask to 0022 for everyone, then create that file with the following content:

# Overrides default umask configuration
umask 022

Different permission settings example:

• The default umask values for Bash are defined in the /etc/login.defs file and might be affected by settings in the /etc/profile and /etc/bashrc files, files in /etc/profile.d, or your account's shell initialization files.

reference: https://rol.redhat.com/rol/app/courses/rh124-9.0/