Setting default group permissions via SFTP
Solution 1
Background
This is ever lasting problem of sftp and sharing files. It is because of the resulting permissions are based on the original permission of the file on the user side and umask (-u) argument is not forcing such permissions, but only stripping the unwanted permissions. This means that only if user tries to upload file with permission 0777, it is applied and stripped down to 0775. Otherwise it is just left as it was. For example if the user has file stored on his file system with permission 0700, it will appear also after upload as 0700.
Solution
Recently we solved this issue in Fedora by applying patch which is forcing exact permission of new uploaded files, which is based on this one:
https://bugzilla.mindrot.org/show_bug.cgi?id=1844
This will be available in CentOS in few months, not sure about debian.
Workaround
There is no other elegant solution except some periodical running script (from cron), which is fixing the wrong permissions. It would be some one-liner in bash, but I guess you can think of some. I can elaborate on this more if you are interested.
Solution 2
I was able to get this to work on debian using bindfs - which is still kind of hacky but it works. Basically it mounts one directory into another and you can force all permissions to behave however you like. So regardless of how the file is written in the actual directory, the directory served by sftp will always be writable. Now all of my clients can write to files that other users created :D
Related videos on Youtube
11 : 08
08 : 28
08 : 02
07 : 48
02 : 47
11 : 00
03 : 03
DAB
Updated on September 18, 2022Comments
-
DAB over 1 year
I am setting up a file server where users log in via SFTP. I want all users to have the same permissions to read and write any file. Since they all have different accounts with different passwords, i end up with something like this:
-rw-r----- 1 user1 sharing 308 Jul 6 12:03 test2.rtf -rw-r----- 1 user2 sharing 308 Jul 6 12:16 test3.rtfThe group is called
sharingwhich contains all the users. The problem is when files are written, the default permission for groups is read only.I have tried setting the umask in
sshd_config:Subsystem sftp /bin/sh -c 'umask 0002; /usr/lib/openssh/sftp-server' Match Group sharing ChrootDirectory /files/ ForceCommand internal-sftp -u 002 AllowTCPForwarding no X11Forwarding noThe facl for the directory is this:
# file: . # owner: root # group: sharing # flags: -s- user::rwx group::rwx group:sharing:rwx mask::rwx other::r-x default:user::rwx default:group::rwx default:other::---also in these places:
init.d/rc:umask 002 init.d/ssh:umask 002 bash.bashrc:umask 002If I log in via SFTP, i get permissions of 640. If I disable the sftp and log in as user1 via ssh, and touch a new file, i get permissions of 660 - which is what i want.
So how can I get this to work via SFTP?
This is debian 7 btw.
-
DAB almost 9 yearsI actually found a workaround that works on debian also - posting an answer
-
MarcoZen almost 3 yearsIts been a few years but could you expand on your answer and show the important snippets of your configuration ? Especially the part where users in the same group can read/write the files / directories.
