umask for internal-sftp in Docker container

Question

I have a rather simple sftp Docker container in which I have the following /etc/ssh/sshd_config, inspired by so many different sources on the Internet – no claims that it's perfect, but hey, it kind of works.

Port 22
Protocol 2

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

SyslogFacility AUTHPRIV

PermitRootLogin no

PubkeyAuthentication no
AuthorizedKeysFile .ssh/authorized_keys

PasswordAuthentication yes

ChallengeResponseAuthentication yes

UsePrivilegeSeparation sandbox

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

Subsystem sftp internal-sftp -u 0002

Match Group sftponly
      ChrootDirectory %h
      ForceCommand internal-sftp
      AllowTcpForwarding no
      X11Forwarding no

emphasis on the Subsystem line towards the end. It is my understanding that the -u option sets the umask for the process, and therefore the users that log into it. Needless to say, my poor user keeps creating files with permissions 644/755 instead of the expected 664/775.

What am I missing? Is there a capability that my container is missing? Is there something else?

Answer 1

OpenSSH implements SFTP version 3, described in draft-ietf-secsh-filexfer-02.txt. Version 3 of the SFTP protocol includes a command for the client to set file attributes for files on the server. File attributes which can be set includes the file's permissions.

A umask is only applied when a file (or directory, etc) is created. A process can call chmod() to change a file attributes, and these calls are not subject to a umask.

In other words, despite the umask, the client can set permissions on files to whatever it wants by sending an explicit command to set the permissions.