5
3
Is there a way to have all files created by a particular user under sftp to have a specific group and file permissions? The user in question, of course, will be a member of the group, but it is not his primary group. In other words, is there a way for sftp to automatically duplicate the effects of umask and newgrp?
user24844
Posted 2010-01-14T20:23:46.870
Reputation: 151
5
There is such thing as a subsystem in (Open)SSH: it is a program which gets lauched when you request something other than interactive shell. Technically it is just an executable on remote host which is exec'd by sshd child after authenticating you and calling setuid.
You can locate a standard subsystem definition for sftp in your SSH config:
Subsystem sftp /usr/lib/openssh/sftp-server
As it is just a plain executable, not a SUID one or special in any other way, you can write a shell script that will change any attributes you need and then just launch original subsystem handler.
Place the following script into /usr/lib/openssh folder as e.g. sftp-fperm-server (this is not required, just to keep things in one place):
#!/bin/sh
umask 026
exec /usr/lib/openssh/sftp-server
Then add a line in the end of /etc/ssh/sshd_config:
Subsystem sftp-fperm /usr/lib/openssh/sftp-fperm-server
And then restart sshd (it does not kill sessions on restart) and launch sftp with a -s sftp-fperm option. Voila! files get the new specified umask.
If you do not want to specify that option each time, just change the standard subsystem definition. Interactive sessions won't be affected by it, so there are no chances of breaking somthing.
If you want to use the newgrp command, things will be a bit trickier. newgrp always launches a new interactive shell while stupidly don't allowing to pass any parameters to it, so you can't use it as the umask in previous example. But you can replace the last line in script with:
SHELL=/usr/lib/openssh/sftp-server newgrp git
Actually calling the newgrp for some group I belong to emits a password request, so I was unable to check this solution (I mean only the newgrp one), but it works when I pass the /bin/id on my laptop (without SSH), so if you got newgrp working for user no problems should arise.
whitequark
Posted 2010-01-14T20:23:46.870
Reputation: 14 146
2
To add to what whitequark is saying, you could build a solution along those lines but use the "sg"-command in place of newgrp, which is a kind of "su" for groups. Look it up as "man sg" on any linux system, at least.
Jan Ivar Beddari
Posted 2010-01-14T20:23:46.870
Reputation: 21
1
chmod g+s directory
Will grant ownership to the user's group for all directories & files created in the future.
csi
Posted 2010-01-14T20:23:46.870
Reputation: 213
0
I would assume that this is server specific. Check the server configuration for potential configuration options.
pcapademic
Posted 2010-01-14T20:23:46.870
Reputation: 3 283
Well, it is the sftp program which comes with OpenSSH (under linux). It is just not obvious to me how to do what I want, totally transparent to the sftp user. – user24844 – 2010-01-15T18:16:41.467
Seems like more of a ServerFault question to me, but it could be a grey-area. – squircle – 2010-06-05T23:20:05.200
Also search for options to do this with scp. Unfortunately, there is confusion between scp - sftp - ftps - ftp-ssl – pcapademic – 2010-01-15T23:18:19.437