Centos Sftp Ssh - How always create files with rwx-rwx-r-x and always owned by a certain group

I have a user myuser, which is only allowed to connect to ssh via sftp. I'd like this user to always create files with rwx-rwx-r-x and always owned by the group apache. I've tried to accomplish the file permissions part with umask, but in umask files and directories get different permissions for the same umask. Help is appreciated.

Solution 1:

Background

This is ever lasting problem of sftp and sharing files. It is because of the resulting permissions are based on the original permission of the file on the user side and umask (-u) argument is not forcing such permissions, but only stripping the unwanted permissions. This means that only if user tries to upload file with permission 0777, it is applied and stripped down to 0775. Otherwise it is just left as it was. For example if the user has file stored on his file system with permission 0700, it will appear also after upload as 0700.

Solution

Recently we solved this issue in Fedora by applying patch which is forcing exact permission of new uploaded files using -m switch to sftp-server. It is based on this upstrem bug:

https://bugzilla.mindrot.org/show_bug.cgi?id=1844

This is available in current CentOS 7.2. From changelog:

 - Add sftp option to force mode of created files (#1197989)

Workaround

There is no other elegant solution except some periodical running script (from cron), which is fixing the wrong permissions. It would be some one-liner in bash, but I guess you can think of some. I can elaborate on this more if you are interested.

Or you can use inotify to "catch" changes earlier.

Group should be inherited from the parent directory, isn't it?