16

We have an Ubuntu 10.04 server. How can I set it so that new files created (or copied) over SFTP or SSH have g+rw and g+rwx permissions (where appropriate)?

I'm also using setgid (chmod g+s) so that they inherit the proper group owner.

wag2639
  • 2,115
  • 6
  • 24
  • 32

2 Answers2

12

In /etc/ssh/sshd_config, you can pass a flag and value in (-u 0002) like the following to set the umask value:

Subsystem sftp /usr/lib/openssh/sftp-server -u 0002

Append the -u 0002 to the existing Subsystem sftp line of the configuration file.

Afterwards, you will need to restart ssh for the changes to take effect:

service ssh restart
Domino
  • 255
  • 4
  • 5
  • This only applies to newer versions of OpenSSH, but should be the preferred solution where possible. – Andrew B Jan 12 '13 at 06:27
  • 2
    This only works if you need more restrictive permissions than what is set by the client, not more loose. – Joost Aug 19 '15 at 18:52
  • As Joost said, this doesn't help to force group-write permissions. I would help to forbid group-write. – flight Sep 10 '15 at 15:46
  • According to recent documentation, the same options can be used with `Subsystem sftp internal-sftp`. – underscore_d Oct 09 '15 at 12:27
10

In /etc/ssh/sshd_config, change the following:

Subsystem sftp /usr/lib/openssh/sftp-server

to:

Subsystem sftp /bin/sh -c 'umask 0002; exec /usr/libexec/openssh/sftp-server'

Soure: http://jeff.robbins.ws/articles/setting-the-umask-for-sftp-transactions

wag2639
  • 2,115
  • 6
  • 24
  • 32
  • 1
    It's better to put an `exec` before the final `/usr/.../sftp-server`, so that you won't have useless `sh` processes lying around. – user1686 Jun 13 '10 at 20:32
  • Also, an umask is just a number; `0002` can be written shorter as `02`. – user1686 Jun 13 '10 at 20:33
  • I thought umask was an octal, but thanks for the exec part. – wag2639 Jun 16 '10 at 15:38
  • 2
    Yes, umasks _are_ octal. That doesn't mean you need three leading zeroes - one is enough. (In fact, the `umask` command doesn't need _any_ leading zeroes, it always reads the argument as an octal number.) ... But on the second thought, maybe `0002` is clearer to understand. – user1686 Jun 19 '10 at 20:52
  • 2
    This doesn't work for me. It won't enforce the g+w permission. – flight Sep 10 '15 at 15:54
  • This answer doesn't work with new openssh anymore. Received unexpected end-of-file from SFTP server. See the other answer. – Cano64 Apr 20 '17 at 13:46