setting umask for internal-sftp users

Will Johnston will at ehawaii.gov
Fri Jan 9 13:58:36 EST 2009


I'm running OpenSSH 5.1p1 on openSUSE 10.3 (i586) and I want to setup chroot jails for certain 
SFTP-only users.  I use the following lines in my sshd_config file:

Match Group sftponly
ChrootDirectory /home/chroot-%u
ForceCommand internal-sftp

It works great.

The problem is that some of my users need umask 002 for their uploads.  I tried a few ways to 
achieve this:

  * set umask in sshrc, .profile, etc... fails because no shell is used with internal-sftp

  * set the umask to 002 before launching sshd so the sftp server process will inherit it...
    fails because sshd resets umask to a minimum of 022 on startup (seems like a good idea)

My solution was to add an option for internal-sftp that sets the umask.  So, I can put this in my 
configuration:

Match Group sftponly
ChrootDirectory /home/chroot-%u
ForceCommand internal-sftp -u 002

I've attached my patch.  It's working with no problems for me.

Please consider including this change or something similar in the next release.


-- 
Will Johnston
Hawaii Information Consortium, LLC

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: sftp-umask.patch
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090108/c5ef31cf/attachment-0001.ksh 


More information about the openssh-unix-dev mailing list