diff --git a/bin/portzap b/bin/portzap
index ed2360e..d192c1d 100755
--- a/bin/portzap
+++ b/bin/portzap
@@ -1,6 +1,7 @@
 #!/bin/sh
 set -e
 
+##
 # Variables
 rootdir=$(dirname "$0")
 giturl="${PORTZAP_GITURL:-https://git.hardenedbsd.org/hardenedbsd/ports.git}"
@@ -9,30 +10,50 @@ installdir="${PORTZAP_INSTALLDIR:-/usr/ports/}"
 revision="${installdir}/.portzap"
 libexec=$(realpath "${rootdir}/../libexec/portzap/")
 
-# Masks
-clone_mask=007
-pull_mask=007
-
+##
 # Functions
+require_root() {
+    if [ $(id -u) -ne 0 ]; then
+        echo "This command requires root privileges."
+        exit 1
+    fi
+
+}
+
+require_membership_of() {
+    group=$1
+    if ! id -Gn | tr ' ' '\n' | grep -e "^${group}$"; then
+        echo "This command requires a user to be a member of ${group}."
+        exit 1
+    fi
+}
+
+require_dependency() {
+    deps=$1
+    for dep in $deps; do
+        if ! which -s "$dep"; then
+            echo "This command requires ${dep}, but it was not found."
+            exit 1
+        fi
+    done
+}
+
 . "$libexec/functions/portzap-install"
-. "$libexec/functions/portzap-pull"
-. "$libexec/functions/portzap-clone"
-. "$libexec/functions/requirements"
 
 case $1 in
     "clone")
-        require_deps git
-        require_group _portzap
-        portzap_clone "$portzap_dir" "$giturl" "$clone_mask"
+        require_dependency git
+        require_membership_of _portzap
+        ${libexec}/portzap/portzap-clone "${giturl}" "${gitdir}"
         ;;
     "pull")
-        require_deps git
-        require_group _portzap
-        portzap_pull "$portzap_dir" "$pull_mask"
+        require_dependency git
+        require_membership_of _portzap
+        ${libexec}/portzap/portzap-pull "${gitdir}"
         ;;
     "install")
         require_root
-        require_deps git
+        require_dependency git
         portzap_install "$installdir" "$portzap_dir" "$libexec" "$portzap_file"
         ;;
     *)
diff --git a/libexec/portzap/functions/portzap-clone b/libexec/portzap/functions/portzap-clone
deleted file mode 100644
index 023752c..0000000
--- a/libexec/portzap/functions/portzap-clone
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-portzap_clone() {
-    portzap_dir=$1
-    ports_url=$2
-    clone_mask=$3
-
-    if [ -e "$portzap_dir/.git" ]; then
-        echo "$portzap_dir exists."
-        echo "Run 'portzap pull' instead."
-        exit 1
-    fi
-    umask "$clone_mask"
-    git clone "$ports_url" "$portzap_dir"
-}
diff --git a/libexec/portzap/functions/portzap-pull b/libexec/portzap/functions/portzap-pull
deleted file mode 100644
index b99cb48..0000000
--- a/libexec/portzap/functions/portzap-pull
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/sh
-
-portzap_pull() {
-    portzap_dir=$1
-    pull_mask=$2
-    if [ -e "$portzap_dir/.git" ]; then
-        umask "$pull_mask"
-        cd "$portzap_dir" || exit 1
-        git pull --rebase origin hardenedbsd/main
-    else
-        echo "Run 'portzap clone' first."
-        exit 1
-    fi
-}
diff --git a/libexec/portzap/functions/requirements b/libexec/portzap/functions/requirements
deleted file mode 100644
index 91d3392..0000000
--- a/libexec/portzap/functions/requirements
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/sh
-
-require_deps() {
-    deps=$1
-    for dep in $deps; do
-        if ! which -s "$dep"; then
-            echo "$dep" is required, but not found
-            exit 1
-        fi
-    done
-}
-
-require_group() {
-    group=$1
-    cmd=$(id -Gn | tr ' ' '\n' | grep "^${group}$")
-    if [ "$cmd" != "$group" ]; then
-        echo "You must be a member of the '$group' group to run this command."
-        exit 1
-    fi
-}
-
-require_root() {
-    if [ "$(id -u)" != "0" ]; then
-        echo "The install command must be run as root."
-        exit 1
-    fi
-}
diff --git a/libexec/portzap/portzap-clone b/libexec/portzap/portzap-clone
new file mode 100755
index 0000000..8e405b5
--- /dev/null
+++ b/libexec/portzap/portzap-clone
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+giturl=$1
+gitdir=$2
+if [ -e "${gitdir}/.git" ]; then
+    echo "${gitdir} already exists."
+    echo "Try 'portzap pull' instead."
+    exit 1
+fi
+umask u=rwX,g=rwX,o=
+git clone "${giturl}" "${gitdir}"
diff --git a/libexec/portzap/functions/portzap-install b/libexec/portzap/portzap-install
old mode 100644
new mode 100755
similarity index 99%
rename from libexec/portzap/functions/portzap-install
rename to libexec/portzap/portzap-install
index bd73bb5..2a35b89
--- a/libexec/portzap/functions/portzap-install
+++ b/libexec/portzap/portzap-install
@@ -1,4 +1,5 @@
 #!/bin/sh
+set -e
 
 __portzap_install_update() {
     portzap_file=$1
diff --git a/libexec/portzap/portzap-pull b/libexec/portzap/portzap-pull
new file mode 100755
index 0000000..013ee08
--- /dev/null
+++ b/libexec/portzap/portzap-pull
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+gitdir=$1
+umask=rwX,g=rwX,o=
+if [ -e "${gitdir}/.git" ]; then
+    cd "${gitdir}"
+    git pull --rebase origin hardenedbsd/main
+else
+    echo "A copy of the hardenedbsd ports tree wasn't found."
+    echo "Try 'portzap clone' instead."
+    exit 1
+fi