5

I am using various SFTP clients for uploading files to an SFTP server and I have a problem with default permission used when putting files.

When requesting to put a file, SFTP client like WinSCP or Filezilla will send the SSH_OPEN command without requesting any explicit file permission.

On the other side, it looks like the OpenSSH sftp command on Linux (Red Hat and Ubuntu) is pending the SSH_OPEN command together with the '640' mode.

How can I configure the OpenSSH command to not explictly set the file mode or how can I configure it to send a mode, other than 640?

Many thanks!

Update:

I checked the OpenSSH sftp client source code and it looks like OpenSSH sftp will always tries to preserve file mode even if -P is not set: http://www.koders.com/c/fidD3B20680F615B33ACCB42398FAAFEE1C007DF942.aspx?s=rsa#L986

To solve this problem I used Putty SFTP client.

Adi Roiban
  • 793
  • 3
  • 7
  • 12

3 Answers3

4

If an SFTP client does not specify permissions for uploaded files, the OpenSSH SFTP server assigns 0664 permissions to newly created files. That's for the default umask 0002, which you can change using the -u switch as the answer by @JimB shows.

If an SFTP client specifies the permissions, OpenSSH server uses the specified permissions (the umask does not apply).

Overview of some popular SFTP clients:

Martin Prikryl
  • 7,327
  • 2
  • 36
  • 71
3

The sftp-server will create the new file with the default umask of the user. This can be overridden with the -u umask option to sftp-server

SFTP-SERVER(8)
     -u umask
             Sets an explicit umask(2) to be applied to newly-created files 
             and directories, instead of the user's default mask.

The client (OpenSSH sftp) can choose to preserve local permission by using the -p option, which will send the file then fchmod it appropriately.

SFTP(1) 
     -p      Preserves modification times, access times, and modes from the 
             original files transferred.

If you're strictly asking how to set a mandatory file mode with the sftp client; you can't (at least with openssh sftp-client). You will have to send a chmod after sending the file.

JimB
  • 1,924
  • 12
  • 15
  • 1
    This is not about sftp-server umask setting. I checked the OpenSSH SFTP client source code and at even if -p option is not specified the sftp client will still preserve file modes. http://www.koders.com/c/fidD3B20680F615B33ACCB42398FAAFEE1C007DF942.aspx?s=rsa#L986. So when using OpenSSH sftp client the file modes are always preserved. – Adi Roiban Jun 27 '11 at 18:21
  • 1
    How does the OpenSSH sftp client source even matter, since you are using WinSCP/Filezilla/psftp from a Windows box to connect? OpenSSH !=Putty. Since it is a Windows box, what do you expect the permissions to be, if the permissions where preserved? Are you somehow expecting the server to magically guess what the permissions should be if the client doesn't support permissions? – Zoredache Jun 27 '11 at 18:43
  • 1
    @Adi - I'm not sure where you're seeing that. The only call to `do_fsetstat` is on line 1108, under `if (pflag)` (the -p option). A simple put does not modify the remote file mode after writing it. It *will* call `open` with the original file's mode_t, which will have the umask xor'ed from it on the server side. – JimB Jun 27 '11 at 18:46
  • @Zoredache Filezilla and psftp are also working on Linux. This is not a Windows specific question. – Adi Roiban Jun 27 '11 at 19:10
  • @JimB then the sftp client is uploading a file it will fstat the local file (line 980) and then copy permission into the request (line 986). Try to upload to local files with different modes without using -p and the files will be uploaded on the server using the same permissions. – Adi Roiban Jun 27 '11 at 19:14
  • 2
    @Adi - yes, that's exactly what I'm saying!? The sftp-server will call open with the requested mode, which gets modified by the umask. If there is no umask, the mode is copied in full. The options to possibly change the mode of the file are: set the user's umask on the server; set the sftp-server umask with `-u`; call `chmod` directly; or set permissions locally, and use `-p` in the client. You're looking at the source yourself, there's no "put-and-set-attributes" style command in the protocol. – JimB Jun 27 '11 at 19:27
  • @JimB. Like i said, this is not a problem with the sftp-server. I am sorry to contradict you, but the SFTP protocol does specifies a "put and set attributes" commnad. If you check the draft-ietf-secsh-filexfer-13.txt http://filezilla-project.org/specs/draft-ietf-secsh-filexfer-13.txt you will see that SSH_FXP_OPEN commnad (chapter 8.1.1. Opening a File) request the server to open a file with a desire access and flags. Only the FTP protocol does not have a "put-and-set-attributes" – Adi Roiban Jun 28 '11 at 08:41
  • 2
    @Adi, SSH_FXP_OPEN is the same thing we were discussing earlier. Notice the wording, "desired-access"! If the file doesn't exist, the server will call open(name, flags, mode) with O_CREAT, which doesn't guarantee mode because the umask will always be applied via mode & ~umask, (don't no why I typed xor earlier, but I can't edit it). The only time (f)chmod is called on the file (you can watch this with strace), is if you use the -p flag, or call chmod explicitly. Putty sftp may very well call chmod on it's own due to the impedance mismatch of windows->unix attributes – JimB Jun 28 '11 at 13:51
  • Regarding your discussion, see [does OPENSSH SFTP server uses umask or preserve client side permissions after put command (chrooted environment)?](http://serverfault.com/q/639042/168875) – Martin Prikryl Jan 27 '15 at 21:07
0

I believe that the sftp-server will use the user's profile's default umask unless it has been started with an explicit umask (man 8 sftp-server for details).

agy
  • 206
  • 1
  • 1
  • Thanks for you answer. This question is not about umask, but the default file permission requested by the sftp client. Each time the OpenSSH sftp client puts a file on the server it request an chmod of 640. – Adi Roiban Jun 24 '11 at 08:54