Home / server / Questions / 901376
In Process
ob_dev
Asked: 2018-03-14 02:33:46 +0800 CST

Files uploaded using SFTP does not have the correct rights

  • 772

I have a weird issue when trying to upload files to a server using SFTP.

When for maximum security I use a user with a disabled shell ("/bin/false") to upload files, I get mode 640 for the uploaded files and this is not what I want (local files have mode 664).

However when I enable the shell "/bin/bash" for the same user I get the correct mode, 664.

I am not sure to understand what is happening here, why does disabling shell change the mode of the uploaded files?

My sshd configuration:

Port 22
Protocol 2
AcceptEnv LANG LC_*
UsePAM yes
UseDNS no
Subsystem sftp internal-sftp
linux

2 Answers

  1. By not having a valid shell, the system default umask isn't being applied/used.

    What you can do is put your users in a group, and force a few things via the /etc/sshd_config file, including a umask - 

    Match Group uploadusers
  ForceCommand internal-sftp -u 0002

    the -u 0002 option sets a umask for the internal-sftp program/subsystem and any files uploaded through it IF the user is a member of the uploadusers group.

    Personally I also chroot the users so that they can only access their directories - check the ChrootDirectory option as it applies to a Match Group directive in the sshd_config file.

    • 3

  2. The reason behind this is because when a shell is getting involved, a UMASK is being applied. In your case, it's likely (for bash), being applied inside of /etc/bashrc (this is assuming some modern Red Hat/Centos 7 version), location of these files might vary. When using nothing, check the UMASK setting in /etc/profile maybe.

    • 0