0

Every file uploaded has the wrong permissions so my webserver (Nginx) can't read them. When I manually adjust them by running sudo chmod -R 755 /var/www/* it works again but I'd have to to it everytime I upload a new file. How can I automatically set all permissions of files uploaded via SFTP to 755?

I also tried adding this line to sshd_config:

Subsystem    sftp    internal-sftp   -u 0022
leonheess
  • 144
  • 3
  • 12
  • Look into ACLs. You can give nginx an ACL on the `/var/www` directory, or better yet, a specific subfolder intended for user uploads, so a hole in your upload script can't overwrite your site's code). – ceejayoz May 13 '20 at 14:31

1 Answers1

2

First, it's a bad idea to have files executable, so a better solution should be to do folders 755 and files 644 (or 640)

find /var/www/ -type d -exec chmod 755 {} \;
find /var/www/ -type f -exec chmod 644 {} \;

Now, to ensure files are uploaded with specific permissions, checkout umask

https://docs.oracle.com/cd/E19683-01/817-3814/userconcept-95347/index.html

Change the /etc/ssh/sshd_config like this:

Subsystem sftp internal-sftp -u 0022

And if you have a group:

Match Group xyz
  .
  .
  .
  ForceCommand internal-sftp -u 0022
leonheess
  • 144
  • 3
  • 12
Ron
  • 171
  • 7
  • I know about umask but where to apply it? – leonheess May 13 '20 at 10:20
  • 1
    Try in `/etc/login.defs`, although it can be overwritten in a service startup script like `/etc/init.d/ssh` or `/lib/systemd/system/ssh.service` – Ron May 13 '20 at 10:22
  • What is `{} \;` for? – leonheess May 13 '20 at 10:24
  • that is how you need to execute an `-exec` with `find`, `{}` is the name of each file` `\;` is how the line is treated. – Ron May 13 '20 at 10:25
  • Yes, `Subsystem sftp /bin/sh -c ‘umask ; /usr/libexec/openssh/sftp-server’` or `Subsystem sftp /usr/libexec/openssh/sftp-server -u ` – Ron May 13 '20 at 10:28