CentOS

I've configured sFTP server with upload permission only as per customer request, my SFTP Setup as below:

# vi /etc/ssh/sshd_config:

Subsystem sftp internal-sftp -l

Match Group sftpusers
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp -l

# groupadd sftpusers

# useradd -m -d /uploadonly/public -g sftpusers -s /bin/false testuser; passwd testuser

# chown root:root /uploadonly ; chown root:root /uploadonly/public
# mkdir /uploadonly/public/testuser; chown testuser:sftpusers /sftpuser/public/testuser

# vi /etc/pam.d/sshd

session optional pam_umask.so umask=0400

# systemctl restart sshd

Login testuser from sftp client, I can upload file with permission --w-rw-rw- (which look ok), and for directory the permission become d-wxrwxrwx

The issue is how to change permission to drwxrw-rw- for creating directory by default? Because with current d-wxrwxrwx, testuser can't cd and upload file to new directory, the OS is CentOS 7, please help.

session optional pam_umask.so umask=0400
"4" = not read.
You may want to try something like: umask=0002

As per request, all file in sFTP not allow download by default, that's why I put 0400, with 0002, user still can download file after uploading, correct me if I was wrong