[Bug 1844] New: Explicit file permissions enhancement to sftp-server

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Dec 10 10:59:28 EST 2010 

https://bugzilla.mindrot.org/show_bug.cgi?id=1844

           Summary: Explicit file permissions enhancement to sftp-server
           Product: Portable OpenSSH
           Version: 5.6p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: sftp-server
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: candland at xmission.com


Created attachment 1973
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1973
Force file permissions for sftp-server

Hello,

I have found that I require more control over file permissions for
incoming files via  sftp-server/internal-sftp than the -u <umask>
parameter can provide.

Please see the attached patch.  It adds yet another option to
sftp-server (-m) that will force file permissions and will ignore
permissions specified by the client.  The numeric permissions following
the -m parameter are bounds checked by the same method now used for the
-u parameter and can only range from 0 - 0777.

Implementation in sshd_config would obviously be something like:
-----------------------------------------------
Match Group sftponly
ChrootDirectory /home/chroot-%u
ForceCommand internal-sftp -m 660
-----------------------------------------------

or

----------------------------------------------------
Subsystem       sftp    /path/to/sftp-server -m 600
----------------------------------------------------

I have tested extensively on several Linux distributions and have been
using the changes in our production sftp-server environment.

Note that the attached patch updates sftp-server.8 version 1.19 and
sftp-server.c version 1.93.

Please consider including this change or something similar in the next
release.

Thanks!

-Rob Candland

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list