setting umask for internal-sftp users

Samuel Vogel samydelux at
Fri Jan 9 21:42:47 EST 2009

Will Johnston schrieb:
> I'm running OpenSSH 5.1p1 on openSUSE 10.3 (i586) and I want to setup 
> chroot jails for certain SFTP-only users.  I use the following lines 
> in my sshd_config file:
> Match Group sftponly
> ChrootDirectory /home/chroot-%u
> ForceCommand internal-sftp
> It works great.
> The problem is that some of my users need umask 002 for their 
> uploads.  I tried a few ways to achieve this:
>  * set umask in sshrc, .profile, etc... fails because no shell is used 
> with internal-sftp
>  * set the umask to 002 before launching sshd so the sftp server 
> process will inherit it...
>    fails because sshd resets umask to a minimum of 022 on startup 
> (seems like a good idea)
> My solution was to add an option for internal-sftp that sets the 
> umask.  So, I can put this in my configuration:
> Match Group sftponly
> ChrootDirectory /home/chroot-%u
> ForceCommand internal-sftp -u 002
> I've attached my patch.  It's working with no problems for me.
> Please consider including this change or something similar in the next 
> release.

There also is the sftp file control patch, located here:

It also adds a configure parameter to the conf file, which lets you set 
the umask. In addition to that, you can forbid the use of chmod and 
chown for sftp connections.
I really would like to see this integrated into openssh!


More information about the openssh-unix-dev mailing list