For When You Can't Have The Real Thing
[ start | index | login ]
start > Linux > OpenSSH > 5.8p1 > sftp umask

sftp umask

Created by dave. Last edited by dave, 11 years and 292 days ago. Viewed 5,952 times. #7
[diff] [history] [edit] [rdf]
(23 March 2011)

Problem

When sftp-server is run in chroot mode, the default umask is not suitable. Uploaded files are 644 and created directories are 775. I do not want "other" permissions on uploaded files or created directories.

With this change, files are uploaded as 640 and directories are are 770. While not exactly what I want, it is close enough.

Commentary

Two comments:

  • This is only necessary if you are doing chroot'd sftp. If you are doing regular sftp, use the changing-the-subsystem-call trick listed >>here.
  • Users can still change their umasks after connecting via sftp. This only changes the default umask. In practice, most users won't mess with their umasks, and if you are paranoid enough that you are using chroot'ing for sftp, I presume you have designed your filesystem hierarchy to defend against crazy users.

Disclaimer

I am not a programmer. This probably doesn't do what you want. Don't use it. If you do this and something goes wrong, horribly or not, my liability is limited to feeling bad for you on a best-effort basis.

Solution

Get openssh-5.8p1.tar.gz from >>http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/

Put the two patch files attached to this page somewhere like /tmp

# tar zxvf openssh-5.8p1.tar.gz
# cp openssh-5.8p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
# cp openssh-5.8p1.tar.gz /usr/src/redhat/SOURCES/
# cd /usr/src/redhat/SPECS
# patch -p1 < /tmp/openssh-58.p1-Centos-SPEC-diff.patch
# cp /tmp/openssh-5.8p1dgm1.patch ../SOURCES
# rpmbuild -ba openssh.spec

Note: the patch for the .spec file includes the mucking around done by example on the Building OpenSSH-Portable for CentOS page.

You should end up with some openssh RPMs of version 5.8p1-1b.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt