I know this question has been already discussed, but by reading the posts I could not figure the answers, because some said "yes umask can work", and others say "OpenSSH put command always preserve permissions"
Before all just to precise:
- I use OpenSSH 5.9 on RHEL 6.2
- I have configured a chrooted SFTP server, using
internal-sftpsubsystem, with-u 0002for umask - I precise I don't use the
-por-Poption
From what I have read on one hand: there are many ways to define umask for SFTP transfers:
- option
-uofinternal-sftp(orsftp-server) , since OpenSSH 5.4 - create a wrapper to
sftp-server(in which we explicitly set the umask - this doesn't fit for chrooted environment btw) - add a specific configuration in
pam.d/sshdfile
On the other hand I have read:
The OpenSSH SFTP client and server do transfer the permissions (as an extension) and create the remote file with the permissions on the local side. AFAICT, there is no way to disable this behavior.
So I did the following test:
On my client I created file MYFILE and directory MYDIR with permissions 600 and 700.
Then with sftp commands:
mkdir => the new directory has permissions following the umask (OK)
put MYFILE => MYFILE has same permissions as on client (KO)
put -r MYDIR => MYDIR has same permissions as on client (KO)
If I change permissions of MYFILE and MYDIR on client side, and upload again, I get the new permissions on server side.
I tried the pam.d solution too, but it changed nothing.
So now I'm confused :
From what I tested and a part of what I read, I would say OpenSSH always preserve permissions. But as there are many posts saying that a umask could be defined, I can imagine I do a wrong thing in my test configurations.
I would appreciate some experienced feedback.
Thank you.
First, the umask is about the server not the client. So asking if
putcommand of OpenSSH client uses umask is wrong. You should ask if OpenSSH server uses umask when creating a file as a result of SFTP upload.Anyway, what OpenSSH SFTP client does:
putwithout-Pflag, it asks the server to create a file with the same permissions as the local file has. The OpenSSH server then (implicitly by *nix rules) applies the umask.putwith the-Pflag, it starts the same, but after the upload completes, the client asks the server to explicitly (re)set the permissions to the same the local file has ("chmod" request). For "chmod", the umask does not apply.mkdir, it asks the server to create a directory with permissions 0777. The umask implicitly applies.Anyway, I believe that umask 0002 has no effect on file with permissions 0600, as these are mutually exclusive. You should try your umask against a file with permissions like 0644.
So actually, it should work, if you have your system configured as you describe. See evidence from my box (Ubuntu with OpenSSH 6.2p2)
See the difference in permissions after
putvs.put -P:Btw, the latest SFTP specification defines behavior of the client and server regarding umask. As you can see, OpenSSH actually violates that, although the OpenSSH implements SFTP version 3 that had no mention of umask yet.