file permissions and group ownership using sftp
Is there a way to have all files created by a particular user under sftp to have a specific group and file permissions? The user in question, of course, will be a member of the group, but it is not his primary group. In other words, is there a way for sftp to automatically duplicate the effects of umask and newgrp?
There is such thing as a subsystem in (Open)SSH: it is a program which gets lauched when you request something other than interactive shell. Technically it is just an executable on remote host which is exec
'd by sshd
child after authenticating you and calling setuid.
You can locate a standard subsystem definition for sftp
in your SSH config:
Subsystem sftp /usr/lib/openssh/sftp-server
As it is just a plain executable, not a SUID one or special in any other way, you can write a shell script that will change any attributes you need and then just launch original subsystem handler.
Place the following script into /usr/lib/openssh
folder as e.g. sftp-fperm-server
(this is not required, just to keep things in one place):
#!/bin/sh
umask 026
exec /usr/lib/openssh/sftp-server
Then add a line in the end of /etc/ssh/sshd_config
:
Subsystem sftp-fperm /usr/lib/openssh/sftp-fperm-server
And then restart sshd
(it does not kill sessions on restart) and launch sftp
with a -s sftp-fperm
option. Voila! files get the new specified umask.
If you do not want to specify that option each time, just change the standard subsystem definition. Interactive sessions won't be affected by it, so there are no chances of breaking somthing.
If you want to use the newgrp
command, things will be a bit trickier. newgrp
always launches a new interactive shell while stupidly don't allowing to pass any parameters to it, so you can't use it as the umask
in previous example. But you can replace the last line in script with:
SHELL=/usr/lib/openssh/sftp-server newgrp git
Actually calling the newgrp
for some group I belong to emits a password request, so I was unable to check this solution (I mean only the newgrp
one), but it works when I pass the /bin/id
on my laptop (without SSH), so if you got newgrp
working for user no problems should arise.
To add to what whitequark is saying, you could build a solution along those lines but use the "sg"-command in place of newgrp, which is a kind of "su" for groups. Look it up as "man sg" on any linux system, at least.
chmod g+s directory
Will grant ownership to the user's group for all directories & files created in the future.