How to setup ssh's umask for all type of connections
Posted
by
Unode
on Server Fault
See other posts from Server Fault
or by Unode
Published on 2011-01-29T03:02:54Z
Indexed on
2012/10/10
9:41 UTC
Read the original article
Hit count: 283
I've been searching for a way to setup OpenSSH's umask to 0027
in a consistent way across all connection types.
By connection types I'm referring to:
- sftp
- scp
- ssh hostname
- ssh hostname program
The difference between 3. and 4. is that the former starts a shell which usually reads the /etc/profile
information while the latter doesn't.
In addition by reading this post I've became aware of the -u option that is present in newer versions of OpenSSH. However this doesn't work.
I must also add that /etc/profile
now includes umask 0027
.
Going point by point:
- sftp - Setting
-u 0027
insshd_config
as mentioned here, is not enough.
If I don't set this parameter, sftp uses by default umask 0022
. This means that if I have the two files:
-rwxrwxrwx 1 user user 0 2011-01-29 02:04 execute
-rw-rw-rw- 1 user user 0 2011-01-29 02:04 read-write
When I use sftp to put them in the destination machine I actually get:
-rwxr-xr-x 1 user user 0 2011-01-29 02:04 execute
-rw-r--r-- 1 user user 0 2011-01-29 02:04 read-write
However when I set -u 0027
on sshd_config
of the destination machine I actually get:
-rwxr--r-- 1 user user 0 2011-01-29 02:04 execute
-rw-r--r-- 1 user user 0 2011-01-29 02:04 read-write
which is not expected, since it should actually be:
-rwxr-x--- 1 user user 0 2011-01-29 02:04 execute
-rw-r----- 1 user user 0 2011-01-29 02:04 read-write
Anyone understands why this happens?
scp - Independently of what is setup for sftp, permissions are always
umask 0022
. I currently have no idea how to alter this.ssh hostname - no problem here since the shell reads
/etc/profile
by default which meansumask 0027
in the current setup.ssh hostname program - same situation as scp.
In sum, setting umask on sftp
alters the result but not as it should, ssh hostname
works as expected reading /etc/profile
and both scp
and ssh hostname program
seem to have umask 0022
hardcoded somewhere.
Any insight on any of the above points is welcome.
EDIT: I would like to avoid patches that require manually compiling openssh. The system is running Ubuntu Server 10.04.01 (lucid) LTS with openssh
packages from maverick.
Answer: As indicated by poige, using pam_umask did the trick.
The exact changes were:
Lines added to /etc/pam.d/sshd
:
# Setting UMASK for all ssh based connections (ssh, sftp, scp)
session optional pam_umask.so umask=0027
Also, in order to affect all login shells regardless of if they source /etc/profile
or not, the same lines were also added to /etc/pam.d/login
.
EDIT: After some of the comments I retested this issue.
At least in Ubuntu (where I tested) it seems that if the user has a different umask set in their shell's init files (.bashrc, .zshrc,...), the PAM umask is ignored and the user defined umask used instead. Changes in /etc/profile
did't affect the outcome unless the user explicitly sources those changes in the init files.
It is unclear at this point if this behavior happens in all distros.
© Server Fault or respective owner