sFTP file and directory permission by default

General support questions
Post Reply
bakeng
Posts: 2
Joined: 2019/11/05 05:34:29

sFTP file and directory permission by default

Post by bakeng » 2019/11/05 05:37:42

I've configured sFTP server with upload permission only as per customer request, my SFTP Setup as below:

# vi /etc/ssh/sshd_config:

Subsystem sftp internal-sftp -l

Match Group sftpusers
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp -l

# groupadd sftpusers

# useradd -m -d /uploadonly/public -g sftpusers -s /bin/false testuser; passwd testuser

# chown root:root /uploadonly ; chown root:root /uploadonly/public
# mkdir /uploadonly/public/testuser; chown testuser:sftpusers /sftpuser/public/testuser

# vi /etc/pam.d/sshd

session optional pam_umask.so umask=0400

# systemctl restart sshd

Login testuser from sftp client, I can upload file with permission --w-rw-rw- (which look ok), and for directory the permission become d-wxrwxrwx

The issue is how to change permission to drwxrw-rw- for creating directory by default? Because with current d-wxrwxrwx, testuser can't cd and upload file to new directory, the OS is CentOS 7, please help.

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: sFTP file and directory permission by default

Post by tunk » 2019/11/05 11:04:13

session optional pam_umask.so umask=0400
"4" = not read.
You may want to try something like: umask=0002

bakeng
Posts: 2
Joined: 2019/11/05 05:34:29

Re: sFTP file and directory permission by default

Post by bakeng » 2019/11/06 07:20:06

As per request, all file in sFTP not allow download by default, that's why I put 0400, with 0002, user still can download file after uploading, correct me if I was wrong

Post Reply