internal-sftp -u 002 is ignored for copied files

Question

I configured OpenSSH like this

Subsystem sftp internal-sftp

Match Group sftp
    ForceCommand internal-sftp -u 002
    AuthorizedKeysFile    /home/sftp/ssh/%u
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no

This configuration is working, but there is one problem: Files or folders which are copied from local drive to sftp keep their permissions (usually 755) and no other sftp-user has access to them.

The other sftp-users only have full permissions if someone creates a folder or file or copies a file with 775 permissions.

Is there a way that all files in the sftp-directory have 775 permissions? At the moment I'm using chmod -R 775 /home/sftp/files/ to set it manually, but this isn't the solution i would like to have...

Thanks

Is there a limited set of tools the users use to upload the files? — Martin Prikryl, Sep 11 '15 at 06:01
The MAC-users are using Cyberduck, for Windows we're using FileZilla and I'm running Linux Mint and use Nemo (the built in filemanager). — RafaelKr, Sep 11 '15 at 06:10

score 1 · Answer 1 · answered Sep 10 '15 at 15:42

1

With this setup it is not possible, because umask is not enough strong tool to force permissions if the original permission is lower. There are few solutions how to get on with this:

First of them is your mentioned chmod, which you would need to run periodically to have all users accessible all files.
The other solution is -m switch for sftp-server, which solves this issue by forcing exact permissions on newly uploaded files. But this feature is not upstream, but it is available at least in RHEL/Fedora especially for this use case.

answered Sep 10 '15 at 15:42

Jakuje

9,715
2
42
45

Okay, installing RHEL or Fedora is no option because it's running on a WD MyCloud. Then I think I have to write a little script which is watching for new files and chmodding them. At the moment I'm running Debian, is there really no other solution as this 2 mentioned by you? – RafaelKr Sep 10 '15 at 16:47
@Joriktos Another, but still the same possibility is to rebuild openssh-package (or at least sftp-server) from source with patch from https://bugzilla.mindrot.org/show_bug.cgi?id=1844 – Jakuje Sep 10 '15 at 17:01
I tried this, but it isn't working. If i try to connect with sftp it instantly responds with "Connection closed" – RafaelKr Sep 11 '15 at 13:20

internal-sftp -u 002 is ignored for copied files

1 Answers1