www-data group write after sftp?



I'd like to have my apache user be able to read and write files, my sftp user(s) to be able to upload files that are then available (rwX) to both other sftp users and apache, and everyone else read is ok.

psst: I know this question comes up a lot, and I've been reading answers and trying many many things for two days now and am now thoroughly confused. Also I'm aware of the security risks involved in allowing www-data write access to my site, but that is not the issue I'm here to discuss.

Here's my steps:

usermod -aG www-data tim
mkdir -p /var/www/mysite/public_html

# now upload/untar the site, etc. not shown here #

chown -R www-data:www-data /var/www/mysite
chmod -R u+rwX,go+rwX,g+s,o-w /var/www/mysite

# now make the apache virtual host and so on .. not shown here #

Files inside public_html are set like this - group has write:

-rw-rwSr-- 1 www-data www-data favicon.ico

Now, logon on as my "tim" account using sftp, I upload a new file to the public_html folder, then look at its permission:

-rw-r--r-- 1 tim      wwww-data COPYING.txt

So I've lost group WRITE, even though I thought I'd added g+s on the parent folder so that it would inherit the group.

Apparently this doesn't mean that it also inherits the group /mask/. I've read somewhere (and lost reference) that SFTP doesn't honour the umask; that seems to be where the permission are getting lost, but I don't know how to fix it.

edit found the umask reference and have tried it - http://john.parnefjord.se/node/62 - can see that the file is executing apon login, but still the mask isn't set to g+w after an upload.


Posted 2014-07-01T01:59:04.893

Reputation: 547

FYI, g+s only affects the group ID assigned to new files, not the group permissions. – Kenster – 2014-07-01T12:11:42.280



I didnt check much, but I tried 2-3 times with different group permissions on a local server.

What I get here is that, what ever permissions are given to the file at the local system are exactly the same permissions got by the file at the remote server.


Posted 2014-07-01T01:59:04.893

Reputation: 239


When a process creates a file on unix, the process controls what permissions are assigned to the file. The process specifies a set of permissions, typically 0666 or 0777, in the file-creation system call. The permissions are modified by the process's umask to produce the actual permissions for the file. Special flags on the parent directory are not part of this process. A process can also change the permissions on an existing file through another system call named chmod().

SFTP is really a remote filesystem protocol. When a client creates a file on a server, the client can tell the server exactly what permissions to give to the new file. The client can also invoke chmod() remotely to change the permissions on existing files. The OpenSSH SFTP server doesn't provide any means for the server administrator to restrict this that I'm aware of.

What I'd probably do is to write a shell script that sweeps through the folder and fixes file permissions. You could run the script from cron every few minutes. Something like the following should get you started:

cd /var/www/mysite || exit 1
find . -type f ! -perm 0664 -exec chmod 0664 '{}' ';'


Posted 2014-07-01T01:59:04.893

Reputation: 5 474