Bug 1229 - No way to set default umask for SFTP server
Summary: No way to set default umask for SFTP server
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sftp-server (show other bugs)
Version: 4.3p2
Hardware: Other Mac OS X
: P2 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
: 1715 (view as bug list)
Depends on:
Blocks: V_5_4
  Show dependency treegraph
 
Reported: 2006-09-16 07:18 AEST by Amy Louv
Modified: 2023-01-13 13:56 AEDT (History)
4 users (show)

See Also:

Attachments
Add -u option to sftp-server (2.08 KB, patch)
2006-11-10 02:50 AEDT, Damien Miller 		no flags Details | Diff
Revised patch (2.26 KB, patch)
2009-08-27 10:13 AEST, Damien Miller 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Amy Louv 2006-09-16 07:18:03 AEST 
There is no way to set a default umask for the SFTP server.

Steps to Reproduce:

1. Enable SFTP server.
2. Connect using command-line sftp client.
3. Put a file to the server.
4. ls -l, and you'll see that the file has not been created group-writable.

Expected Results

There should either be some way to configure the server so that the default umask will be as desired, such as 0002, or the file should take the umask and group id from the enclosing parent folder.  This is a must if multiple developers are to use SFTP to work on the same set of files in the web server, for example. 

Actual Results:  The server always creates files with its own umask, the default of which cannot be changed.

Workaround:   Use FTP instead, and risk having your passwords stolen.
Comment 1 Darren Tucker 2006-10-03 19:21:35 AEST 
(In reply to comment #0)
> There is no way to set a default umask for the SFTP server.
[...]
> Workaround:   Use FTP instead, and risk having your passwords stolen.

Another workaround: sftp-server inherits it umask from the shell (since it's run via "sh -c") so you can set it in /etc/profile or equivalent.

That said, since sftp-server understands arguments these days then adding one for umask might be a reasonable idea.
Comment 2 Hans Rakers 2006-11-09 20:52:44 AEDT 
I think there's a bunch of Gentoo users including me that are interested in this feature aswell, now that the Gentoo core system packages team decided to ditch the sftplogging (http://sftplogging.sourceforge.net/) features of the openssh ebuild.

See my ticket at http://bugs.gentoo.org/show_bug.cgi?id=154440
Comment 3 Damien Miller 2006-11-10 02:50:46 AEDT 
Created attachment 1205 [details]
Add -u option to sftp-server

This is easy now that sshd_config Subsystem declarations (and sftp-server) can accept commandline arguments. This patch adds a -u option to sftp-server to set an explicit umask. Please test.
Comment 4 Hans Rakers 2006-12-14 01:17:05 AEDT 
I have just tested your patch against openssh 4.5p1 and it works fine for the umask-setting part.

I did add a small change to process_open to mimic the behavior of the sftplogging patch, which is to set the mode to 0666 to force the umask on newly created files. Same for process_mkdir, with mode 0777.
Comment 5 Darren Tucker 2009-07-31 11:22:05 AEST 
We should look at this for the 5.4 release.
Comment 6 Damien Miller 2009-08-27 10:13:33 AEST 
Created attachment 1673 [details]
Revised patch
Comment 7 Damien Miller 2009-08-28 03:29:12 AEST 
patch applied. This will be in openssh-5.4
Comment 8 Damien Miller 2009-10-06 15:02:53 AEDT 
Mass move of RESOLVED bugs to CLOSED now that 5.3 is out.
Comment 9 Damien Miller 2010-02-24 05:34:54 AEDT 
*** Bug 1715 has been marked as a duplicate of this bug. ***
Comment 10 Darren Tucker 2010-03-26 10:51:31 AEDT 
With the release of 5.4p1, this bug is now considered closed.