SFTP – Connections and File Permissions – Part 1

We did SSH setup as mentioned in SSH setup – Key based authentication

In this article lets talk about “umask” and file permissions while doing SFTP.

When a “user” is created – default “umask” is 0002(—w) – meaning no write permission for others. When the “user” creates a file : the default file permission subtract umask value from 666 (rw-rw-rw) resulting 664. When the “user” creates folder :  the default folder permission subtract umask value from 777 (rwxrwxrwx) resulting 775. In the example below – test.txt file permission ( rw-rw-rw – delete write for others = rw-rw-r– ) and test_folder permission ( rwxrwxrwx – delete write for others = rwxrwxr-x ).

Remember it is not mathematical subtraction – For example with default mask 0002 – if the file permission is already missing write permission for others (664) it wont make 662.


We can update umask using “umask <id>”. In the example below – updated umask to 0022 – delete write permission for group and others . Now default file permissions changed to 0644 (see test2.txt) and folder permissions changed to 0755 (see test2_folder).


Now lets SFTP these files from Bastion to Client but before that check the SFTP server binary on Client.


On Client the “test” user has default umask 0002 as we have not changed since the creation of user. There is no change in the permissions as the files and folders already missing write permission for others.


Now as an example we want files and folders should not have write permission to user, group and others which comes “umask” as 0222. To make this permanent I’ve placed the umask in .bashrc which takes effect as soon as we create shell session for test user. I’ve also did some cleaning by deleting the old files..


Lets try SFTP again.. Files copied to Client missing write permission for everyone as expected.


With SFTP we cannot copy directories directly..


Created couple of directories.. Check the permissions of folders which also missing write permission for everyone.


After copying the folder permissions of folder changed to the ones present on Bastion..


Lets create a file inside “test2_folder” on Bastion host. “test2_folder_file.txt” has permission 664 when created on Bastion host and it is 444 permission on Client host following “umask”.


On Client host..


Lets try one more scenario.. as we have test2 user on Client we will change the umask to 0022 and SFTP the files.


SFTP files from Bastion to Client now as test2 user..


On Client host..


Now let me delete the files and try again with “-P” option which should retain the permissions as present on Bastion host.


On Client host..


2 thoughts on “SFTP – Connections and File Permissions – Part 1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s