Ssh Umask

 admin



So it should be possible to set a per-user umask for user someuser in the GECOS field, for example using. Sudo chfn -o umask=0444 someuser and then either setting umask=0022 in the pamumask entry in /etc/pam.d/sshd file - or perhaps better, omit the umask= there altogether so that other users fall back to the umask specified in the default files. U umask Sets an explicit umask (2) to be applied to newly-created files and directories, instead of the user's default mask. You can specify the umask with the command umask 0027.

So we're trying to set up an ssh server for a client that automatically applies a umask to a directory that allows for all uploaded files to automatically take on 002.
We can't use ACL's for this since it's an NSF4 mount point and NFS4_acl is not working for some reason.
Here is what we've tried.
Creating a custom login shell that forces umask 002 and putting it in /bin/set-umask. I am able to sftp in but when I put a file up to the server it uploads it in mode 0644 so that doesn't work.
I tried setting in openssh to force -u 002.
We're using subsystem sftp internal-sftp by the way.
Adding a -u 002 does not work for whatever reason. openSSH version is 5.3. OS version is rhel6.
We tried adding in pam.d/login pam.d/sshd to force umask using
session optional umask.so umask=002
This also does not work.
Basically we need for this to work. We are not allowing the sftp users to have an interactive shell so .profile, .bashrc, .bash_profile are not options and we don't want to set it system wide as it will mess with regular ssh users.
Does anyone have any advice on the best way to get this working?

It took at least an hour of Googling to find this solution, so I’m posting it here for reference and hopefully it could help others.

If you’re not using a chroot jail, you can follow this: http://jeff.robbins.ws/articles/setting-the-umask-for-sftp-transactions

This involves setting the umask in sshd_config in the Subsystem line, however, it doesn’t work for chrooted users as the umask gets set, ssh session starts and the chroot recreates the umask info (this is how I understand it, anyway).

So if you’re using chroot for users, you probably have something similar to this in your sshd_config:

Subsystem sftp internal-sftp

UsePAM yes

Match user username
ChrootDirectory /path/to/directory
ForceCommand internal-sftp

Scp Umask

You should then edit the file /etc/pam.d/sshd and add the following:

Ssh umask

session optional pam_umask.so umask=0002

Sftp Umask Setting

And in /etc/profile, if it’s not already there (it was for me on Ubuntu 10.10), add the following at the bottom:

Git Ssh Umask

Ssh Umask

umask 022

And that’s it. internal-sftp does not execute any shells so it won’t take any notice of information in profile/login/rc etc, however, pam authentication is used so the configuration is seen there instead (unless, of course, you’ve turned it off).

Ssh Umask Change

Ref: http://ubuntuforums.org/archive/index.php/t-1107974.html