Setting default group permissions via SFTP



I am setting up a file server where users log in via SFTP. I want all users to have the same permissions to read and write any file. Since they all have different accounts with different passwords, i end up with something like this:

-rw-r-----   1 user1   sharing  308 Jul  6 12:03 test2.rtf
-rw-r-----   1 user2   sharing  308 Jul  6 12:16 test3.rtf

The group is called sharing which contains all the users. The problem is when files are written, the default permission for groups is read only.

I have tried setting the umask in sshd_config:

Subsystem sftp /bin/sh -c 'umask 0002; /usr/lib/openssh/sftp-server'
Match Group sharing
    ChrootDirectory /files/
    ForceCommand internal-sftp -u 002
    AllowTCPForwarding no
    X11Forwarding no

The facl for the directory is this:

# file: .
# owner: root
# group: sharing
# flags: -s-

also in these places:

init.d/rc:umask 002
init.d/ssh:umask 002
bash.bashrc:umask 002

If I log in via SFTP, i get permissions of 640. If I disable the sftp and log in as user1 via ssh, and touch a new file, i get permissions of 660 - which is what i want.

So how can I get this to work via SFTP?

This is debian 7 btw.


Posted 2015-07-06T17:54:33.520

Reputation: 151

Try the ssd_config syntax over at

– ssnobody – 2015-07-06T19:43:10.680

yep, i tried that one as well - no luck – DAB – 2015-07-06T21:31:01.817




This is ever lasting problem of sftp and sharing files. It is because of the resulting permissions are based on the original permission of the file on the user side and umask (-u) argument is not forcing such permissions, but only stripping the unwanted permissions. This means that only if user tries to upload file with permission 0777, it is applied and stripped down to 0775. Otherwise it is just left as it was. For example if the user has file stored on his file system with permission 0700, it will appear also after upload as 0700.


Recently we solved this issue in Fedora by applying patch which is forcing exact permission of new uploaded files, which is based on this one:

This will be available in CentOS in few months, not sure about debian.


There is no other elegant solution except some periodical running script (from cron), which is fixing the wrong permissions. It would be some one-liner in bash, but I guess you can think of some. I can elaborate on this more if you are interested.


Posted 2015-07-06T17:54:33.520

Reputation: 7 981

I actually found a workaround that works on debian also - posting an answer – DAB – 2015-07-08T16:11:29.870


I was able to get this to work on debian using bindfs - which is still kind of hacky but it works. Basically it mounts one directory into another and you can force all permissions to behave however you like. So regardless of how the file is written in the actual directory, the directory served by sftp will always be writable. Now all of my clients can write to files that other users created :D


Posted 2015-07-06T17:54:33.520

Reputation: 151