How to setup ssh's umask for all type of connections
I can suggest trying 2 things:
- pam_umask
- LD_PRELOAD wrapper (self-written?)
Here is a solution that will let you do what you want on a per-user basis. It uses only native sshd
features and does not require mucking about with locally maintained patches. This solution takes advantage of the ForceCommand
behavior of sshd to insert an environment-setup script into every ssh connection, and then run the original command.
First, create a script somewhere on your system with the following contents:
#!/bin/sh
umask 0027
exec /bin/sh -c "${SSH_ORIGINAL_COMMAND:-$SHELL}"
For the purposes of this example I'll assume you've called this /usr/bin/umask-wrapper
.
Now, you have a few options in setting this up. If you want this to be a mandatory configuration for all users (which seems a little unlikely), you can modify your sshd configuration to include the following:
ForceCommand /usr/bin/umask-wrapper
If you only want this to apply to some users, you can use a Match
block (this goes at the end of your sshd_config
):
Match User user1,user2
ForceCommand /usr/bin/umask-wrapper
If you want this to be user-controllable behavior, then you can use the command=
option in an authorized_key
file to select this behavior for specific keys. For example, while testing this out I added an entry to my authorized_keys
file that looks something like this:
command="/home/lars/bin/umask-wrapper" ssh-rsa AAAAB3NzaC1 ... umask-test
And here are some results of my test:
Using ssh
with no command:
localhost$ ssh remotehost
remotehost$ touch umask-test/file1
remotehost$ ls -l umask-test/file1
-rw-r-----. 1 lars lars 0 Feb 2 06:02 file1
Using ssh
with a command:
localhost$ ssh remotehost touch umask-test/file2
localhost$ ssh remotehost ls -l umask-test/file2
-rw-r-----. 1 lars lars 0 Feb 2 06:03 file2
Using scp
:
localhost$ touch file3
localhost$ ls -l file3
-rw-r--r-- 1 lars staff 0 Feb 2 06:03 file3
localhost$ scp file3 remotehost:umask-test/file3
localhost$ ssh remotehost ls -l umask-test/file3
-rw-r-----. 1 lars lars 0 Feb 2 06:03 file3
Using sftp
:
localhost$ sftp remotehost
sftp> put file3 umask-test/file4
sftp> ls -l umask-test/file4
-rw-r----- 0 500 500 0 Feb 2 06:05 umask-test/file4
And there you have it. I believe this is the behavior you were looking for. If you have any questions about this solution I would be happy to provide additional details.
I took a slightly different approach to centralize the setting.
This was added to /etc/pam.d/common-session
:
session optional pam_umask.so
This was modified in /etc/login.defs
:
UMASK 0027
I've gotten pam_umask to work with ssh, but not with scp or sftp.
The wrapper method also does nothing for sftp or scp. I'm not sure 027 is a good example since most distros have umask set to that already. Try with 002 and see if that works.
Programs that don't set their own umask inherit the umask of the application that started it. Stop sshd completely, set your umask to 0027, then start it again. (You can add the umask command in the init script for future reboots.)
Tested to work with scp.