setting umask for internal-sftp users

Samuel Vogel samydelux at gmail.com
Fri Jan 9 21:42:47 EST 2009


Will Johnston schrieb:
> I'm running OpenSSH 5.1p1 on openSUSE 10.3 (i586) and I want to setup 
> chroot jails for certain SFTP-only users.  I use the following lines 
> in my sshd_config file:
>
> Match Group sftponly
> ChrootDirectory /home/chroot-%u
> ForceCommand internal-sftp
>
> It works great.
>
> The problem is that some of my users need umask 002 for their 
> uploads.  I tried a few ways to achieve this:
>
>  * set umask in sshrc, .profile, etc... fails because no shell is used 
> with internal-sftp
>
>  * set the umask to 002 before launching sshd so the sftp server 
> process will inherit it...
>    fails because sshd resets umask to a minimum of 022 on startup 
> (seems like a good idea)
>
> My solution was to add an option for internal-sftp that sets the 
> umask.  So, I can put this in my configuration:
>
> Match Group sftponly
> ChrootDirectory /home/chroot-%u
> ForceCommand internal-sftp -u 002
>
> I've attached my patch.  It's working with no problems for me.
>
> Please consider including this change or something similar in the next 
> release.
Hey,

There also is the sftp file control patch, located here:
http://sftpfilecontrol.sourceforge.net/

It also adds a configure parameter to the conf file, which lets you set 
the umask. In addition to that, you can forbid the use of chmod and 
chown for sftp connections.
I really would like to see this integrated into openssh!

Regards,
Samy


More information about the openssh-unix-dev mailing list