To make new files more secure by default, you can change the umask setting:
$ umask 0077
This umask will make sure that the group and others will have absolutely no
permissions for any newly-created files. So, how does the umask work? Unlike
"regular" permissions on files, the umask specifies which permissions should
be turned off. Let's consult our mode-to-digit mapping table so that
we can understand what a umask of 0077 means:
| mode | digit |
rwx | 7 |
rw- | 6 |
r-x | 5 |
r-- | 4 |
-wx | 3 |
-w- | 2 |
--x | 1 |
--- | 0 |
Using our table, the last three digits of 0077 expand to
---rwxrwx. Now, remember that the umask tells the system which
permissions to disable. Putting two and two together, we can see that
all "group" and "other" permissions will be turned off, while "user"
permissions will remain untouched.
