We have made numerous mentions of file permissions, showing how they control read, write, and execute access to files and directories. By careful choice of file permissions, you can, and should, control who can access your files.

The most important tool for access control is the umask command, since it limits the permissions assigned to all files that you subsequently create. Normally, you pick a default value and set it in the file that your shell reads on startup: $HOME/.profile for sh-like shells (see Section 14.7). System managers usually pick a umask setting in a corresponding system-wide startup file, when the shell supports one. In a collaborative research environment, you might choose a mask value of 022, removing write access for group and other. In a student environment, a mask of 077 might be more appropriate, eliminating all access except for the file owner (and root).

When nondefault permissions are likely to be required, shell scripts should issue an explicit umask command near the beginning, and before any files are created. However, such a setting does not affect files that are redirected on the command line, since they are already open when the script starts.

The second most important tool is the chmod command: learn it well. Even in a permissive environment where read access is granted to everyone, there are still files and directories that must be more restricted. These include mail files, web browser history and cache, ...