25

I have a SFTP server (openssh/sftp-server) and I would like to set umask 002 for users using this service. I tried setting PAM (pam.d/common-session), and .profile for each user, but no luck.

With SSH login everything is fine, but when I try with SFTP (with gFTP) I have the 022 umask set.

I already tried to use a wrapper for sftp-server that is changing the umask before calling the sftp-server, no luck.

Any help? Thanks a lot!

Dennis Williamson
  • 60,515
  • 14
  • 113
  • 148
mat_jack1
  • 399
  • 1
  • 3
  • 8

6 Answers6

30

Since OpenSSH 5.4p1 I think, you can use the "-u" option, for example:

Subsystem sftp /usr/lib/openssh/sftp-server -u 022

From the man page:

 -u umask
         Sets an explicit umask(2) to be applied to newly-created files
         and directories, instead of the user's default mask.
Weboide
  • 3,275
  • 1
  • 23
  • 32
  • that's nice!! I'll take a look ASAP and report my findings :) – mat_jack1 Nov 07 '10 at 22:21
  • 6
    For those w/o the -u option, this works: `Subsystem sftp /bin/sh -c 'umask 0002; /usr/lib/openssh/sftp-server'` – Steve Clay Jul 31 '11 at 01:23
  • 1
    Good solution. It solves the problem with client shells and applications, such CyberDuck, that set their default permissions regardless of system umask. I found it useful to make sure that every client app will set the right permissions to let my users work together on group files. It may be useful to add also that this setting won't stop users from customizing file permissions if they wish. – gerlos Mar 03 '14 at 00:14
  • One last thing to add: if you need only sftp feature and don't need to give your users shell access, you may consider also using [rssh](http://www.pizzashack.org/rssh/index.shtml) instead of bash for their shells, and setting default umask for them in /etc/rssh.conf. This may make your server more secure – gerlos Mar 03 '14 at 00:18
  • Doesn't work for me with `Subsystem sftp internal-sftp -u 022` – leonheess May 13 '20 at 10:34
  • Per @cloudranger's answer, you need to add the `-u` argument to any `ForceCommand`s you have in your `/etc/ssh/sshd_config` as well. – Frans Jul 14 '22 at 06:12
7

I hope this can save someone else hours of frustration...

If you're using a GUI SFTP application, check its preferences for setting permissions on upload.

I had tried all the solutions above, and it turns out the application was just overriding them.

Malcolm
  • 71
  • 1
  • 1
  • ^^ Yes, for a long time I've been setting the umask on sftp connection by making a script similar to Weboide's solution. Recently I was scratching my head as to why this didn't seem to work as well as it did in the past. Well apparently at some point an update to my SFTP client made it explicitly set the umask after connecting with ssh, so go figure. – Jared Kipe Mar 04 '13 at 20:26
  • It's not just GUIs. Not even clients. It took me way too long to find that the test file I uploaded had 0600 which the client (OpenSSH sftp) copied to the remote side. – xebeche Nov 17 '13 at 17:32
  • Thank you! Spent so long playing around with permissions for nothing. – Tania Rascia Jan 13 '16 at 20:24
6

In the ssh config file you can also use this to set the mode of the file specifically (overriding any chmod that the client may try to set). Here I am using internal-sftp but I guess it would be the same for sftp-server:

ForceCommand internal-sftp -u 0022
cloudranger
  • 61
  • 1
  • 1
  • First answer that explicitly tells you to add this to the `internal-sftp` command. I'd added it to `Subsystem sftp /usr/lib/openssh/sftp-server` but that wasn't making a difference. – Frans Jul 14 '22 at 06:11
2

After many hours trying to apply various hacks and fixes i've found a proper solution!

There's a patch for SSH that permits you to chose the umask that you want for SFTP. You can download it here: http://sftpfilecontrol.sourceforge.net/

For me (OpenSSH_5.2p1+sftpfilecontrol-v1.3, OpenSSL 0.9.8g 19 Oct 2007) it's working perfectly!

mat_jack1
  • 399
  • 1
  • 3
  • 8
  • 2
    Just to note that the option '-u' to set the umask is available in OpenSSH since 5.4p1, see my answer further down. – Weboide Nov 17 '10 at 18:20
1

To quote this message:

I got this working okay by adding a "umask 007" line in /etc/init.d/ssh.

Bash uses the .profile for interactive login shells. I don't think sftp counts as one. You might be able to set the umask in /etc/bash.bashrc or ~/.bashrc if the tip above doesn't work or you want more fine-grained control.

Dennis Williamson
  • 60,515
  • 14
  • 113
  • 148
  • 2
    thanks for the answer, but i had already in ssh umask 002 (i tried also 0002) and it's not working :( also the bashrc is not taken into consideration, as with an external SFTP client i don't think that bash is used. If i log directly with ssh everything is fine. My problem is only with SFTP clients. Thanks! – mat_jack1 Oct 02 '09 at 18:59
  • Oops, you're right. I don't know why I was thinking about Bash being involved. – Dennis Williamson Oct 02 '09 at 19:21
0

Refer to this question to find a simple solution that doesn't require specific openssh versions nor custom patches.

Community
  • 1
Unode
  • 483
  • 1
  • 6
  • 11