[SFTP] Possibility for Adding "ForceFilePermission" option

[Jakub Jelen]

On Thu, 2017-12-14 at 10:26 -0600, House Lee wrote:
> Hi,
> 
> I understand that if I specify `ForceCommand internal-sftp -u
> <umask>`, the permission of any files uploaded via sftp will be
> calculated by `<original permission> & ~umask`. However, this can be
> bypassed by the `-P` option of `put` command. We are developing a
> shared hosting platform, therefore we definitely don’t want our users
> being able to upload any executable files. We can not disable the x
> permission by umask because directories need the x permission. 
> 
> Is there any possible way to accomplish this? or is it possible to
> add a `ForceFilePermission` and `ForceDirPermission` option in the
> sshd_config ?
> 
> Thanks & Best Regards,
> House


Hello,
during last month, there were already two emails in this mailing list
discussing this issue:

https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-
November/036468.html

The patch exists here since 2010 and it is currently used in
Fedora/RHEL to a great satisfaction, though it was never accepted by
upstream nor there was any official statement if they will eventually
accept this change or why not (and in which I would be greatly
interested).

Best advise I have is to pull that patch from the linked thread above.
Or have some script that is fixing the files permissions upon upload.

Regards,
Jakub

-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.