1

I need to control the transferring of files on my server. Some files are sent through scp to my server and I want such a files to have a specific set of permissions let's say 770. I tried pam_umask.so in /etc/pam.d/login and setting umask in /etc/profile but it seems to not work.

Which is the best way on Linux to force an umask for files transferred via scp?

Regards, Andrea

larsks
  • 277,717
  • 41
  • 399
  • 399
Kerby82
  • 4,934
  • 14
  • 48
  • 74
  • did you also add `session optional pam_umask.so umask=770` to `/etc/pam.d/common_session`? – Stefan Ferstl Aug 01 '12 at 16:41
  • There's no common_session on centos 5, I added the pam_umask in the system-auth but it's not working :-( – Kerby82 Aug 03 '12 at 08:54
  • 1
    Could you try to put the config directly into `/etc/pam.d/sshd`? That is the place where the config should end up finally. (on my distro, which is not centos, I have `common-session` file which is included in the other configs) – Stefan Ferstl Aug 04 '12 at 08:46

1 Answers1

2

AFAIK, scp does not initialize a shell, thus don't source any file such as .profile, .bashrc, /etc/profile.

So the only way of doing this, as commented by Stefan Ferstl, seems to use the pam module pam_umask.so.

The file /etc/pam.d/sshd is probably the best place to do it, if you want to limit this behavior to ssh sessions :

session optional pam_umask.so umask=0007
Christophe Drevet
  • 915
  • 5
  • 14
  • Actually, scp runs another copy of scp on the remote system, and the remote process would be launched as a shell command. If the remote user's shell is `bash` for example, it would start up as a non-interactive, non-login process. It ought to read .bashrc in this case, but not .bash_profile or the other files sourced for login sessions. – Kenster Jan 26 '15 at 22:38
  • Well, it doesn't on my system, using openssh. The session is opened on the remote system by `sshd` which launches `scp` directly, without a shell. And `.bashrc` isn't sourced. – Christophe Drevet Jan 27 '15 at 07:40
  • 1
    http://pastebin.com/eBr273CD. It may not be obvious that bash is being used because it optimizes this case, and doesn't fork before exec'ing scp. – Kenster Jan 27 '15 at 12:34
  • Still, I didn't manage to set the permissions mask through `.bashrc`. I'll look into that again when I have some time to do more tests. – Christophe Drevet Jan 27 '15 at 18:05
  • In my testing, this approach can **reduce permissions** but not **expand permission**. A umask of `0007` will change uploaded files from 777 to 770, but a umask of `0000` will not change a file from 770 to 777. Setting perms explicitly (`chmod ... ; scp -p`) seems to be the only option. – Akom Oct 05 '21 at 14:16