How to set SFTP umask in Linux? [100% Working]

In Linux | Tags: #sftp, #SSH
How to set SFTP umask in Linux? [100% Working]

In this tutorial I will share the steps to set umask for SFTP connections. I will not go into the details on what is umask and how to set umask in Linux. You can follow the respective articles added in the hyper links.

Why do we need to set different umask for SFTP?

By default umask is applied to entire system. But additionally we can control custom umask per user by specifying the value inside .bashrc file of respective user’s home folder.

But when we are doing SFTP and especially chroot based SFTP then we don’t have access to user’s home folder so the custom umask is not applied.

Now consider a scenario where system wide the umask is set to 077 but for a certain user we want to set umask as 022 so this can not be done by modifying user’s .bashrc file.

How to set SFTP umask per user and group?

As per the help page of SFTP we can use -u flag to provide a custom umask.

     -u    umask
             Sets an explicit umask(2) to be applied to newly-created files and directories, instead of the user's default mask.

1. My Lab Environment

I have a SSHD service running on Port 22 on a Linux server with default umask as 077. So any file which is created on this server will have 600 permission i.e. no read, write and execute permission for others.

[root@sftp-server ~]# umask
0077

[root@sftp-server ~]# touch /tmp/index.html

[root@sftp-server ~]# ls -l /tmp/index.html
-rw-------. 1 root root 0 Jan 21 12:55 /tmp/index.html

Now we have a requirement to give read permission to any file which is copied via SFTP. To achieve this I will modify the umask for incoming connections via SFTP for this directory.

2. Verify the umask before applying the changes

We will use amit user for our SFTP testing who is part of pgwsftpusers group.

Let’s verify the permission of files getting created currently with default umask of 077 via SFTP. I will trigger a PUT operation for /tmp/index.html inside /opt/storage:

~]# sftp amit@192.106.147.92:storage/ <<< $'put /tmp/index.html'
amit@192.106.147.92's password: 
Connected to 192.106.147.92.
Changing to: /storage/
sftp> put /tmp/index.html
Uploading /tmp/index.html to /storage/index.html
/tmp/index.html

Verify the permission of index.html inside the sftp share:

[root@sftp-server ~]# ls -l /opt/storage/
total 529
-rw-------. 1 amit sftpusers 541497 Jan 21 12:58 index.html

As expected the file got created with 600 because of default umask 077 of the system.

3: Apply custom umask to SFTP

To apply custom umask for all incoming SFTP connections you can modify Subsystem as shown below in /etc/ssh/sshd_config:

Subsystem sftp internal-sftp -u 027

Or to modify umask per user or group you can use ForceCommand in the following :

AllowGroups sftpusers
        ForceCommand internal-sftp -u 0027

AllowUsers deepak
        ForceCommand internal-sftp -u 0022

Here we are applying umask of 027 for all connections from pgwsftpusers group and 022 to user deepak.

Next restart the sshd service to activate the changes:

[root@sftp-server ~]# systemctl restart sshd

4: Verify the changes

I will delete the previously created file on the sftp server so that we can verify the permission properly:

[root@sftp-server ~]# rm -f index.html

Next let’s re-attempt to copy our file using SFTP:

[root@sftp-client ~]# sftp amit@192.106.147.92:storage/ <<< $'put /tmp/index.html'
amit@192.106.147.92's password: 
Connected to 192.106.147.92.
Changing to: /storage/
sftp> put /tmp/index.html
Uploading /tmp/index.html to /storage/index.html
/tmp/index.html                                                                       100%  529KB  96.2MB/s   00:00

Verify the permission

[root@sftp-server ~]# ls -l /opt/storage/
-rw-------. 1 amit sftpusers 541497 Jan 21 13:01 index.html

The permission still shows 600, so our changes are not working?

There is one more thing which we must know here:

If the system’s default umask is higher compared to what is provided for SFTP then we have to make sure that the file we are planning to copy has higher permission.

This is because setting a custom umask can strip down permissions of a file based on it’s value but it will not add additional permission to the file. So in this case, our source file /tmp/index.html has below permission:

[root@sftp-client ~]# ls -l /tmp/index.html 
-rw-------. 1 root root 541497 Dec 21 10:29 /tmp/index.html

Hence after copying the file, the same permission is retained as umask 027 can strip down the permission of a file to 640 but it will NOT add read permission to the file which has 600 permission.

Let me show you how this would work.

[root@sftp-client ~]# chmod 644 /tmp/index.html 

[root@sftp-client ~]# ls -l /tmp/index.html 
-rw-r--r--. 1 root root 541497 Dec 21 10:29 /tmp/index.html

As you can see I have given read permission to group and others on my client. I have deleted this file from the sftp-server. Now let’s retry the SFTP:

[root@sftp-client ~]# sftp amit@192.106.147.92:storage/ <<< $'put /tmp/index.html'
amit@192.106.139.203's password: 
Connected to 192.106.139.203.
Changing to: /opt/storage/
sftp> put /tmp/index.html
Uploading /tmp/index.html to /opt/storage/index.html
/tmp/index.html                                                                                   100%    0     0.0KB/s   00:00

Verify the permission on the SFTP folder:

[root@sftp-server /]# ls -l /opt/storage/
total 151
-rw-r-----. 1 amit sftpusers        0 Jan 21 13:18 index.html

Now we have proper permission as per our custom SFTP we had set for sftpusers group.

What is NEXT

Summary

We explained that the umask value of the operating system and the umask value of sftp may be different. This is important for security. At the end of this article, you have provided file/directory creation with limited privileges of the user that comes with SFTP.

For more information on SFTP, you can get help from the man page:

foc@fedora:~$ man sftp-server

     sftp-server — OpenSSH SFTP server subsystem

SYNOPSIS
     sftp-server [-ehR] [-d start_directory] [-f log_facility] [-l log_level] [-P denied_requests] [-p allowed_requests] [-u umask]
                 [-m force_file_perms]
     sftp-server -Q protocol_feature

...

Or type a question mark(?) in the console with connected via SFTP:

sftp> ?
Available commands:
bye                                Quit sftp
cd path                            Change remote directory to 'path'
chgrp [-h] grp path                Change group of file 'path' to 'grp'
chmod [-h] mode path               Change permissions of file 'path' to 'mode'
chown [-h] own path                Change owner of file 'path' to 'own'
df [-hi] [path]                    Display statistics for current directory or
...
rmdir path                         Remove remote directory
symlink oldpath newpath            Symlink remote file
version                            Show SFTP version
!command                           Execute 'command' in local shell
!                                  Escape to local shell
?                                  Synonym for help

References

linux.die.net - sftp-server(8) - Linux man page
How to put desired umask with SFTP? - Server Fault

Omer Cakmak

Omer Cakmak

Linux Administrator

Highly skilled at managing Debian, Ubuntu, CentOS, Oracle Linux, and Red Hat servers. Proficient in bash scripting, Ansible, and AWX central server management, he handles server operations on OpenStack, KVM, Proxmox, and VMware.

View all posts →

Related Articles