Does OpenSSH SFTP server use umask or preserve client side permissions after put command (chrooted environment)?

ssh sftp umask

Solution 1:

First, the umask is about the server not the client. So asking if put command of OpenSSH client uses umask is wrong. You should ask if OpenSSH server uses umask when creating a file as a result of SFTP upload.

Anyway, what OpenSSH SFTP client does:

  • put without -P flag, it asks the server to create a file with the same permissions as the local file has. The OpenSSH server then (implicitly by *nix rules) applies the umask.

  • put with the -P flag, it starts the same, but after the upload completes, the client asks the server to explicitly (re)set the permissions to the same the local file has ("chmod" request). For "chmod", the umask does not apply.

  • mkdir, it asks the server to create a directory with permissions 0777. The umask implicitly applies.

Anyway, I believe that umask 0002 has no effect on file with permissions 0600, as these are mutually exclusive. You should try your umask against a file with permissions like 0644.

So actually, it should work, if you have your system configured as you describe. See evidence from my box (Ubuntu with OpenSSH 6.2p2)

Match user user2
  ChrootDirectory /home/user2/chroot
  ForceCommand internal-sftp -u 0077
  AllowTcpForwarding no
  PermitTunnel no
  X11Forwarding no

See the difference in permissions after put vs. put -P:

user1:~$ touch file.txt
user1:~$ ls -l
total 0
-rw-r--r-- 1 user1 ftpuser    0 Oct 23 15:34 file.txt
user1:~$ sftp user2@localhost
user2@localhost's password: 
Connected to localhost.
sftp> cd somefolder 
sftp> put file.txt
Uploading file.txt to /somefolder/file.txt
file.txt                                         100%     0    0.0KB/s    0:00
sftp> ls -l
-rw-------    1 1003 1001    0 Oct 23 15:35 file.txt
sftp> put -P file.txt
Uploading file.txt to /somefolder/file.txt
file.txt                                         100%     0    0.0KB/s    0:00
sftp> ls -l
-rw-r--r--    1 1003 1001    0 Oct 23 15:34 file.txt

Btw, the latest SFTP specification defines behavior of the client and server regarding umask. As you can see, OpenSSH actually violates that, although the OpenSSH implements SFTP version 3 that had no mention of umask yet.

7.6. Permissions

...

The server SHOULD NOT apply a 'umask' to the mode bits; but should set the mode bits as specified by the client. The client MUST apply an appropriate 'umask' to the mode bits before sending them.

Related

Nginx + php5-fpm = "File not found"
What ways there are to backup repositories for Windows VisualSVN?
nginx case insensitive rewrite
How to create Active Directory user account with powershell
How to convince a big boss that he does not need administrator privileges?
How to identify who/what uses a Windows 2003 server?
How do I destroy a hard disk?
Free automatic deployment systems?
How to do traffic shaping (rate limiting) with TC per OpenVPN client
What is the canonical name for domain names with extra parts?
What resources are best for staying current about information security? [duplicate]
Gmail does not accept mail from a new server