Reflection for Secure IT for UNIX > Secure File Transfer > Set File Permissions on Downloaded Files

Set File Permissions on Downloaded Files

When you download a file to the client using either sftp or scp, the file permissions of the downloaded file can depend on both the client configuration and the source file permissions.

If the file already exists on the client:

  • The client file permissions remain the same after a transfer; the transfer updates the contents of the file contents, but does not modify existing file permissions.

If the file does not exist on the client, the following factors affect the permissions set on the transferred file.

  • The downloaded file is given the same permissions as the source file provided there are no settings in effect on the client that prevent the creation of files with these permissions.

  • If there are local settings in effect that limit the permissions of newly created files, these are applied to the downloaded file. These settings can be globally configured, or can be modified for the current session using the umask command. Note: For uploads the relevant umask is the server umask, for downloads it’s the local umask.

  • When downloading files, if the local umask is 0xx, 1xx, 4xx, or 5xx, the user write bit of the resulting file will be set regardless of the remote file permissions.

To set permissions on downloaded files using umask:

  1. Use umask to specify the limits you want for newly created files. For example, you can use either an octal number or a symbolic representation to limit new files to user-only read and write access.

    $ umask 066

    -or-

    $ umask u=rwx,g=x,o=x

  2. Connect to the server and download using either sftp or scp.

    With the sample umask shown above, downloaded files are created on the client without group or world access.

    NOTE:The file mode mask is specified differently for the octal and symbolic forms of the mask:

    • If the mask is specified as an octal number, the mode mask contains the permission bits that should not be set on a newly created file.

    • If the mask is specified as a symbolic representation, the mode mask specifies the bits that should be set.

The following session shows the use of umask to set permissions on files downloaded using sftp. The first file (file1) allows user, group, and world read/write access (666) on the server. The second file (file2) allows user read/write access, and group and world read-only access (644) on the server. After the download, both files allow user-only read/write access (600) on the client.

$ umask 066
$ sftp joe@myserver.com
Authentication successful.
sftp> ls -l file1
-rw-rw-rw-    0 joe   users     108 Sep 30 02:52 file1
sftp> get file1
/home/joe/file1                   108  0.0KB/s  00:00  100%
sftp> lls -l file1
-rw-------    0 joe   users     8 Sep 30 11:47 file1
sftp> ls -l file2
-rw-r--r--    0 joe   users     225 Sep 30 02:56 file2
sftp> get file2
/home/joe/file2                    225  0.0KB/s  00:00 100%
sftp> lls -l file2
-rw-------    0 joe   users     225 Sep 30 11:47 file2
sftp> exit
$