[SFTP] Possibility for Adding "ForceFilePermission" option

Jakub Jelen jjelen at redhat.com
Mon Dec 18 23:03:44 AEDT 2017

On Thu, 2017-12-14 at 10:26 -0600, House Lee wrote:
> Hi,
> I understand that if I specify `ForceCommand internal-sftp -u
> <umask>`, the permission of any files uploaded via sftp will be
> calculated by `<original permission> & ~umask`. However, this can be
> bypassed by the `-P` option of `put` command. We are developing a
> shared hosting platform, therefore we definitely don’t want our users
> being able to upload any executable files. We can not disable the x
> permission by umask because directories need the x permission. 
> Is there any possible way to accomplish this? or is it possible to
> add a `ForceFilePermission` and `ForceDirPermission` option in the
> sshd_config ?
> Thanks & Best Regards,
> House

during last month, there were already two emails in this mailing list
discussing this issue:


The patch exists here since 2010 and it is currently used in
Fedora/RHEL to a great satisfaction, though it was never accepted by
upstream nor there was any official statement if they will eventually
accept this change or why not (and in which I would be greatly

Best advise I have is to pull that patch from the linked thread above.
Or have some script that is fixing the files permissions upon upload.


Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

More information about the openssh-unix-dev mailing list