Setting the umask for SFTP transactions
I ran into this problem when was setting up a web server for usage by a team setting up our company web site. There were two developers and they both would be uploading files to the machine, and they both were going to want to modify each others files if need-be. I made a common group and set the sgid bit on the parent directory. I didn’t want to open up straight FTP access to the box so I told them to use SFTP or SCP. This worked great until I found that each users umask was not being applied to new files and directories. The two developers could see each others files but not modify them. I found that the sftp process is spawned by the root user and its umask is applied to the transaction. I wasn’t in favor or modifying the root umask so I came up with another solution.
The only thing I could find to work was to create a wrapper script around the sftp process that would temporarily set the umask for the transaction.
First I created the wrapper script:
#!/bin/bash umask 0002 # The path to your sftp-server binary may differ exec /usr/libexec/openssh/sftp-server
Then I pointed the Subsystem directive in the sshd_config file to my script:
Subsystem sftp /opt/sftp-server-wrapper.sh
A quick restart/reload of the sshd configuration and I was in business. Both users could see and edit each others files. Email or comment with questions.
—Edit (20090619)
Or even simpler still as Gilles pointed out in the comments you can do away with the wrapper script entirely and simply change the Subsystem line in your sshd_config to this:
Subsystem sftp /bin/sh -c ‘umask 0002; /usr/libexec/openssh/sftp-server’
Thanks Gilles!
#1 by Joel on October 4th, 2008 - 8:28 pm
This was a 3 hour pain for me on Ubuntu. But this helped a lot.
For Ubuntu here is what I did(similar to above):
Create a shell file( note .sh extension) with your favourite editor(vi for me)
$ sudo vi /usr/lib/openssh/sftp-server.sh
Add the following lines:
#!/bin/bash
umask 0002
/usr/lib/openssh/sftp-server
Set the execute permissions
$ sudo chmod +x sftp-server.sh
Edit the sshd_config
$ sudo vi /etc/ssh/sshd_config
Add .sh to the end of the Subsystem line(near the bottom of the file):
Subsystem sftp /usr/lib/openssh/sftp-server
becomes:
Subsystem sftp /usr/lib/openssh/sftp-server.sh
Then restart sftp server
$ sudo /etc/init.d/ssh restart
And finally it worked:S
#2 by joe on October 28th, 2008 - 7:30 am
I tried this but it didn’t work fine for me, When a user upload files using scp or sftp it preserves the old permission the file had on the sending side, What may be dome?
Regards,
#3 by jeffro on October 28th, 2008 - 2:44 pm
You need to double check if the Subsystem script is even being run. Add an echo statement before and after setting the umask and redirect it to a file. Check if the file is even being created.
And just to check, you did restart SSHD after you made these edits, correct?
#4 by Kaanon on November 18th, 2008 - 4:16 pm
Thank goodness for you! I was getting pretty discouraged.
#5 by PE BESSE on February 19th, 2009 - 1:03 pm
Thank’s a lot for your help.
#6 by Xivind on March 19th, 2009 - 5:46 pm
Thanks a lot for this tip guys. Worked right away, and probably more secure also than to change the umask by using the profile documents.
#7 by Fozzy on April 3rd, 2009 - 4:13 pm
I can’t seem to get this to work either and it might have something to do with using Openssh’s built-in chroot (jail).
In this case, the Subsystem used is “internal-sftp” and I adjust the script accordingly, but when I try to login, I get an error about not having BASH or something, which I dont’, as I set the shell to “/bin/false” as per the sftp config. directions.
I can’t seem to find a way to get this to work when chrooting.
#8 by jeffro on April 6th, 2009 - 11:57 am
@Fozzy
Unfortunately OpenSSH requires a valid shell to operate. You might try RSSH if you don’t want to allow users a full shell.
RSSH tutorial: ( http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html )
#9 by ernesto on April 30th, 2009 - 5:55 am
thanks, very helpful, google long for this!
#10 by Gilles Detillieux on June 18th, 2009 - 4:31 pm
Thanks for the handy tip! I had been trying to figure this problem out. It turns out you can even do away with the wrapper script, and instead just change the Subsystem line in sshd_config to this:
Subsystem sftp /bin/sh -c ‘umask 0002; /usr/libexec/openssh/sftp-server’
Works for me, anyway. It won’t work in a chroot jail, though, which isn’t an issue for me.
#11 by jeffro on June 19th, 2009 - 8:26 am
@Gilles Detillieux
Very nice tip also! I will add it to the article, thank you for posting your update.
#12 by Lucky on July 5th, 2009 - 8:52 pm
A gentleman from the Ubuntu forums directed me here, as I was having the same problem. Thank you for the help!
#13 by subba on September 29th, 2009 - 10:31 am
How to use this umask setting for “Subsystem sftp internal-sftp”?
#14 by jeffro on September 29th, 2009 - 10:43 am
@subba
Not sure I understand your question…Can you try to be more clear?
#15 by kishba on October 27th, 2009 - 1:57 pm
Someone from Rackspace sent me to this article and it worked with RHEL 5 with one minor modification. Rather than umask 0002 I had to use 002.
#16 by Patrick Fisher on October 28th, 2009 - 6:54 pm
Thank you very much, very helpful. Wish this article came up higher in the Google search results!
#17 by jeffro on November 5th, 2009 - 4:49 pm
@kishba
@ Patrick Fisher
I am glad you both found it useful!
#18 by Mark Jones on December 3rd, 2009 - 12:32 pm
All,
I was able to compile and create an RPM using SFTPfilecontrol and Openssh5.2p1 which will allow you to set the Umask.
Steps:
1. Download tar from openssh.com
2. Download sftpfilecontrol v1.3 from sftpfilcontrol.sourceforge.com
3. Extract TAR and then run patch -p0 < /path/to/patch
with the patch in the same root directory you extracted from.
4. Tar the source back up and keep extracted directory
5. Use new source and follow these directions for RHEl or Centos to create a distributable package:
http://binblog.wordpress.com/2009/02/27/packaging-openssh-on-centos/
#19 by Mark Jones on December 3rd, 2009 - 5:39 pm
I just reread my post and it looks a little confusing sorry all hah.
Anyway, with the SFTPFILECOntrol patch it works with chroot jailing and I have tested it out and it works. It gives you a line in sshd_config where you set the umask.
If you have any questions on the stuff or want the RPM’s compiled already you can email me at mark d jones 82 at hotmail com
no spaces and dots, just putting that to avoid spam.
#20 by jeffro on December 4th, 2009 - 12:52 pm
Thanks for the post Mark, while this sounds like a good suggestions I generally steer away from custom compiled versions of software. This will most likely solve the issue of setting the umask but will cause headaches down the road when security patches are released and you have to do the whole exercise over again.
Just my opinion, others may have differing views.
BTW, that link (sftpfilcontrol.sourceforge.com) doesn’t go anywhere. In fact I can’t find anything on Sourceforge about a project named sftpfilcontrol. A little help here?
#21 by Mark Jones on December 5th, 2009 - 1:03 am
Jeff,
You do have a point in regards to security patches, but if you follow the link the source is actually compiled to RPM using Redhat contributions to the package. So, down the line I believe RHEL will be integrating this and security patches should work.
RHEL only supports 4.3 right now, but it appears they have plans to go to 5.2 at some point.
File control has been implemented in AIX and HPUX already I believe in the Openssh on there
Here is the link for the file control:
http://sftpfilecontrol.sourceforge.net/
#22 by fwiffo on January 13th, 2010 - 1:47 pm
@jeffro, this is similar to subba’s question.
Using this in sshd_config:
Match Group sftponly
ChrootDirectory /var/sftp
ForceCommand internal-sftp
wanting to set umask on rhel 5, openssh 5.3, sftpfilecontrol does not have a patch for 5.3.
any ideas?
#23 by cjackson on March 12th, 2010 - 9:18 pm
I tried implementing this, but the files that are being copied via an SFTP connection are simply maintaining the permissions they have from the original source. Any ideas on what may be causing this?
#24 by jeffro on March 13th, 2010 - 10:42 am
Not entirely sure without a few more details. The only thing I can think of right now is that the copy transaction is being performed with some sort of preserve permissions flag. Are you using a client or the command line to copy the files?
#25 by Jason K on April 6th, 2010 - 12:20 pm
Jeff,
Thanks a lot we’ve spent alot of time looking for a solution when we upgraded our Mac servers to 10.5 from 10.4.
Neither AFP nor SMB achieve the permissions we wanted on uploaded files.
SFTP did but client was using Dreamweaver which does not have any advance permissions setting on it, but this gets us around it.
Cheers.
Jason K
#26 by lr on May 27th, 2010 - 1:34 pm
Hi,
5.4: Changes since OpenSSH 5.3
Allow setting an explicit umask on the sftp-server(8) commandline to
override whatever default the user has. bz#1229
http://openssh.com/txt/release-5.4
#27 by Ankit on June 27th, 2010 - 10:07 am
hi i need help for setting up openssh with sftpfilecontrol patch
#28 by Ankit on June 27th, 2010 - 10:09 am
I have followed the above instructions from mark Jones and was able to get the rpm built with patch but however i still dont find my sftp to be working
can anyone please help me out
#29 by jeffro on June 27th, 2010 - 5:25 pm
This post is in support of the sftp wrapper script, not the patched RPM. I haven’t tried the patched binary so I can’t answer any questions concerning it.
#30 by gaojinbo on July 8th, 2010 - 4:00 am
Good.
Thank’s a lot for your help.
#31 by abelr on July 23rd, 2010 - 5:17 pm
thanks for info update. however either the wrapper script nor the direct modification to enable the umask settings suffices. it still default to the umask of root on rhel 5
here is what i noticed the parent process is owned by root and child process owned by the sftp user.
Note: sftp-server is ver 3 and not running Jail env
#32 by jeffro on July 23rd, 2010 - 9:27 pm
Hi @abelr, I am sorry to hear that you couldn’t get this working. Unfortunately, I originally set this up on a RHEL 5 box, so I know without a doubt it works there. Since then I have implemented it successfully in CentOS, Debian and Ubuntu. You did remember to restart the SSHD daemon after making the config changes correct?