Background
You need to set your file permission mode mask using the umask
command. Once you do this any new files that you copy into your respective directory will have the permissions set so that only the permissions bits enabled via umask
will be propagated through to the newly copied files.
$ umask
0022
# -or- symbolically
$ umask -S
u=rwx,g=rx,o=rx
The above states that the permissions g=w
or o=w
will be omitted (turned off, effectively). See this U&L Q&A titled: Execute vs Read bit. How do directory permissions in Linux work? for more on permissions if they're unclear.
NOTE Unix umask
can be a somewhat confusing topic, because it's a mask, so it's masking out permissions bits, rather than stipulating what bits to use, you're saying which bits you don't want.
To put it more succinctly:
the umask
only applies an extra mask to the permission bits of the file to be created. The permission bits of the file is primarily determined by the program creating the file, specifically by the mode parameter to the creat()
or open()
system calls. The execute bit is normally not set if there is no reason for it (like creating an executable file). No value of umask
can add bits not specified by the creating program; umask
only resets bits.
Your issue
Now back to your issue, let's touch afile
:
$ touch afile
$ ls -l afile
-rw-r--r-- 1 vagrant vagrant 0 Jul 8 11:45 afile
In the above the umask
being set to 0022
stipulates that the permissions for group will have the 2
bit turned off (that's write) and the 2
bit off for other (that's write).
If we set the umask
to 0007
and delete and re-touch the afile
:
$ umask 0007; rm -f afile; touch afile; ls -l
total 0
-rw-r----- 1 vagrant vagrant 0 Jul 8 11:56 afile
The permissions are now such that other users have no access to the file (0007). This is because we've turned on all the bits (rwx) for the other component of permissions and are "masking" them from being set via our umask
setting.
To restrict other users from accessing your directories through the Unix permissions, set your umask 0007
to restrict the "other" group of users.
NOTE: If the files are set with a Unix group that other people are members of, they'll still be able to access the files. To restrict these set the umask
to umask 0077
.
References
.py
,.sh
) for executables is an anti-pattern: It leeks implementation detail. This will bite you if you change the implementation language. In the mean time it is just ugly. – ctrl-alt-delor Jul 08 '18 at 16:03