[Bug 1844] Explicit file permissions enhancement to sftp-server

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Oct 9 02:08:29 EST 2011


https://bugzilla.mindrot.org/show_bug.cgi?id=1844

Donjan <bryonak at freenet.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bryonak at freenet.de

--- Comment #1 from Donjan <bryonak at freenet.de> 2011-10-09 02:08:29 EST ---
I strongly support this patch or alternatively the sftpfilecontrol one
(http://sftpfilecontrol.sourceforge.net/).

Usage scenario:
Client opens sftp connection to server, browses to a setgid 'workgroup'
directory (he's in the corresponding group) and creates a new file. In
order for other users in this group to be able to edit the file, it
should have ...rw-... permissions.

By using the -u flag in sshd_confg:
  Subsystem sftp /usr/lib/openssh/sftp-server -u002
The client's umask gets shadowed, but not overridden. That is, if the
client has 022 for his umask (as most do), the -u flag can't achieve
g+w on new files (it does however, for example, correctly flatten the
group permissions with -u070).

This should be independent of wildly varying client setups, so asking
every user to change his local umask is not a practicable way.

The patch in this report would allow setting a -m flag in sshd_config,
the sftpfilecontrol patch mentioned above would allow a SftpUmask
option also in sshd_config. Any of which would be highly useful for the
described setup.

Thanks and best wishes
Donjan Rodic

PS: Rob, does your patch handle directories as well?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list