In sftp, how to set the default permission for all files in a folder?
Solution 1
Alternatively, you can set the umask for all sftp logins in sshd's config file (/etc/ssh/sshd_config on my Debian box). For that add -u 022 to the sftp subsystem line like so:
Subsystem sftp /usr/lib/openssh/sftp-server -u 022
From man sftp-server:
-u umask
Sets an explicit umask(2) to be applied to newly-created files and directo‐
ries, instead of the user's default mask.
Solution 2
I've spent considerable time searching for a more complete answer to this question. Configuring a different umask for sftp is well and good, but it is not a universal answer, since the umask will only restrict permissions and not grant additional ones. What exact permissions a file uploaded via sftp end up with depend also on the permissions of the original source file, and on the client used for the upload.
As an example, I've set the umask on my (OpenSSH, on a Red Hat server) sftp server to 0002, but if I upload a text file with 0600 permissions on the source system using the OpenSSH sftp client, it will still have 0600 permissions at the destination. Notably this means I cannot, to the best of my knowledge, ensure that files uploaded to this sftp server have any group permissions at all, which by extension means I also cannot use access control lists (ACL) to extend permissions to other users or groups.
To attempt two methods that would address this, though in both cases they are more workarounds than solutions:
- Create a cron job to manually set the desired permissions after the fact. Simple enough but asynchronous, even though you could run it frequently.
- Use inotify to monitor the destination directories used by the sftp server, and set the desired permissions for any files created in them. This should be practically immediate, but may have other limitations, such as in the case of large numbers of files or directories.
I came upon a blog post at positon.org which nicely explains the inotify option, with examples and even init scripts. It's best read there, but in the event the site ever disappears, the key command is:
inotifywait -mrq -e CREATE --format %w%f /tmp/mytest/ | while IFS= read -r FILE; do chmod g=u "$FILE"; done
As neat as this is, I would still be very interested in a way, by feature or trickery, to obtain the same result within sftp or at least the shell, without involving separate utilities.
Solution 3
Modify /etc/ssh/sshd_config to have:
Subsystem sftp internal-sftp -m 0644
Reload SSHD configuration:
sudo systemctl reload sshd
Related videos on Youtube
11 : 08
12 : 42
08 : 28
07 : 48
02 : 59
user866435
Updated on September 18, 2022Comments
-
user866435 over 1 year
I want to set the default permission for all files in a folder, including newly uploaded ones, to a certain value, say 644, instead of doing "chmod 644" all the time.
Is there any command making this possible?
-
user866435 over 12 yearsI searched umask and got the idea of that. But I still don't know where to change/edit that value. Can you give me more hints?
-
Ingmar Hupp over 12 yearsIn the remote servers ~/.profile, most likely. Simply add the line
umask 022at the very bottom (in most cases). -
user866435 over 12 yearssorry, but I can't find the file .profile under the folder. Do I just create one?
-
user1686 over 12 years@user: Yes, just create one. (However, note that if
~/.bash_profileexists, then~/.profilewill be ignored.) -
fdrv over 6 yearsThis is should be acceptable answer as this is only one solution after 10 hours which works.... Thanks man. Really works... Here what doenst work for me: stackoverflow.com/a/10221511/2309309 unix.stackexchange.com/a/12847/258413 -
maaarghk about 3 yearsShould note this only works on Redhat / Fedora / CentOS / maybe openSUSE? because they have applied this patch
