Set File Permissions on Downloaded Files

When you download a file to the client using either sftp or scp, the file permissions of the downloaded file can depend on both the client configuration and the source file permissions.

If the file already exists on the client:

  • The client file permissions remain the same after a transfer; the transfer updates the contents of the file contents, but does not modify existing file permissions.

If the file does not exist on the client, the following factors affect the permissions set on the transferred file.

  • The downloaded file is given the same permissions as the source file provided there are no settings in effect on the client that prevent the creation of files with these permissions.
  • If there are local settings in effect that limit the permissions of newly created files, these are applied to the downloaded file. These settings can be globally configured, or can be modified for the current session using the umask command. Note: For uploads the relevant umask is the server umask, for downloads it’s the local umask.
  • When downloading files, if the local umask is 0xx, 1xx, 4xx, or 5xx, the user write bit of the resulting file will be set regardless of the remote file permissions.

To set permissions on downloaded files using umask:

  1. Use umask to specify the limits you want for newly created files. For example, you can use either of the following equivalent commands to limit new files to user-only read and write access.

    $ umask 066


    $ umask u=rwx,g=x,o=x

  2. Connect to the server and download using either sftp or scp.

    With the sample umask shown above, downloaded files are created on the client without group or world access.

The following session shows the use of umask to set permissions on files downloaded using sftp. The first file (file1) allows user, group, and world read/write access (666) on the server. The second file (file2) allows user read/write access, and group and world read-only access (644) on the server. After the download, both files allow user-only read/write access (600) on the client.

$ umask 066

$ sftp

Authentication successful.

sftp> ls -l file1

-rw-rw-rw- 0 joe users 108 Sep 30 02:52 file1

sftp> get file1

/home/joe/file1 108 0.0KB/s 00:00 100%

sftp> lls -l file1

-rw------- 0 joe users 8 Sep 30 11:47 file1

sftp> ls -l file2

-rw-r--r-- 0 joe users 225 Sep 30 02:56 file2

sftp> get file2

/home/joe/file2 225 0.0KB/s 00:00 100%

sftp> lls -l file2

-rw------- 0 joe users 225 Sep 30 11:47 file2

sftp> exit