file permissions and group ownership using sftp

Is there a way to have all files created by a particular user under sftp to have a specific group and file permissions? The user in question, of course, will be a member of the group, but it is not his primary group. In other words, is there a way for sftp to automatically duplicate the effects of umask and newgrp?


There is such thing as a subsystem in (Open)SSH: it is a program which gets lauched when you request something other than interactive shell. Technically it is just an executable on remote host which is exec'd by sshd child after authenticating you and calling setuid.

You can locate a standard subsystem definition for sftp in your SSH config:

Subsystem sftp /usr/lib/openssh/sftp-server

As it is just a plain executable, not a SUID one or special in any other way, you can write a shell script that will change any attributes you need and then just launch original subsystem handler.

Place the following script into /usr/lib/openssh folder as e.g. sftp-fperm-server (this is not required, just to keep things in one place):

#!/bin/sh
umask 026
exec /usr/lib/openssh/sftp-server

Then add a line in the end of /etc/ssh/sshd_config:

Subsystem sftp-fperm /usr/lib/openssh/sftp-fperm-server

And then restart sshd (it does not kill sessions on restart) and launch sftp with a -s sftp-fperm option. Voila! files get the new specified umask.

If you do not want to specify that option each time, just change the standard subsystem definition. Interactive sessions won't be affected by it, so there are no chances of breaking somthing.

If you want to use the newgrp command, things will be a bit trickier. newgrp always launches a new interactive shell while stupidly don't allowing to pass any parameters to it, so you can't use it as the umask in previous example. But you can replace the last line in script with:

SHELL=/usr/lib/openssh/sftp-server newgrp git

Actually calling the newgrp for some group I belong to emits a password request, so I was unable to check this solution (I mean only the newgrp one), but it works when I pass the /bin/id on my laptop (without SSH), so if you got newgrp working for user no problems should arise.


To add to what whitequark is saying, you could build a solution along those lines but use the "sg"-command in place of newgrp, which is a kind of "su" for groups. Look it up as "man sg" on any linux system, at least.


chmod g+s directory
Will grant ownership to the user's group for all directories & files created in the future.