How to get full control of umask/PAM/permissions?
- by plua
OUR SITUATION
Several people from our company log in to a server and upload files. They all need to be able
to upload and overwrite the same files. They have different usernames, but are all part of the
same group. However, this is an internet server, so the "other" users should have (in general) just
read-only access. So what I want to have is these standard permissions:
files: 664
directories: 771
My goal is that all users do not need to worry about permissions. The server should be configured in such
a way that these permissions apply to all files and directories, newly created, copied, or over-written. Only
when we need some special permissions we'd manually change this.
We upload files to the server by SFTP-ing in Nautilus, by mounting the server using sshfs and accessing it in Nautilus
as if it were a local folder, and by SCP-ing in the command line. That basically covers our situation and what we aim
to do.
Now, I have read many things about the beautiful umask functionality. From what I understand umask (together with PAM) should allow me
to do exactly what I want: set standard permissions for new files and directories. However, after many many hours of reading and trial-and-error,
I still do not get this to work. I get many unexpected results. I really like to get a solid grasp of umask and have many question unanswered. I will post these questions below,
together with my findings and an explanation of my trials that led to these questions. Given that many things appear to go wrong, I think that
I am doing several things wrong. So therefore, there are many questions.
NOTE: I am using Ubuntu 9.10 and therefore can not change the sshd_config to set the umask for the SFTP server. Installed SSH OpenSSH_5.1p1 Debian-6ubuntu2 < required OpenSSH 5.4p1. So here go the questions.
1. DO I NEED TO RESTART FOR PAM CHANGS TO TAKE EFFECT?
Let's start with this. There were so many files involved and I was unable to figure out what does and what does not affect things, also because I did not
know whether or not I have to restart the whole system for PAM changes to take effect. I did do so after not seeing the expected results, but is this really
necessary? Or can I just log out from the server and log back in, and should new PAM policies be effective? Or is there some 'PAM' program to reload?
2. IS THERE ONE SINGLE FILE TO CHANGE THAT AFFECTS ALL USERS FOR ALL SESSIONS?
So I ended up changing MANY files, as I read MANY different things. I ended up setting the umask in the following files:
~/.profile -> umask=0002
~/.bashrc -> umask=0002
/etc/profile -> umask=0002
/etc/pam.d/common-session -> umask=0002
/etc/pam.d/sshd -> umask=0002
/etc/pam.d/login -> umask=0002
I want this change to apply to all users, so some sort of system-wide change would be best. Can it be achieved?
3. AFTER ALL, THIS UMASK THING, DOES IT WORK?
So after changing umask to 0002 at every possible place, I run tests.
------------SCP-----------
TEST 1:
scp testfile (which has 777 permissions for testing purposes) server:/home/
testfile 100% 4 0.0KB/s 00:00
Let's check permissions:
user@server:/home$ ls -l
total 4
-rwx--x--x 1 user uploaders 4 2011-02-05 17:59 testfile (711)
---------SSH------------
TEST 2:
ssh server
user@server:/home$ touch anotherfile
user@server:/home$ ls -l
total 4
-rw-rw-r-- 1 user uploaders 0 2011-02-05 18:03 anotherfile (664)
--------SFTP-----------
Nautilus: sftp://server/home/
Copy and paste newfile from client to server (777 on client)
TEST 3:
user@server:/home$ ls -l
total 4
-rwxrwxrwx 1 user uploaders 3 2011-02-05 18:05 newfile (777)
Create a new file through Nautilus. Check file permissions in terminal:
TEST 4:
user@server:/home$ ls -l
total 4
-rw------- 1 user uploaders 0 2011-02-05 18:06 newfile (600)
I mean... WHAT just happened here?! We should get 644 every single time. Instead I get 711, 777, 600, and then once 644. And the 644 is only achieved
when creating a new, blank file through SSH, which is the least probable scenario.
So I am asking, does umask/pam work after all?
4. SO WHAT DOES IT MEAN TO UMASK SSHFS?
Sometimes we mount a server locally, using sshfs. Very useful. But again, we have permissions issues.
Here is how we mount:
sshfs -o idmap=user -o umask=0113 user@server:/home/ /mnt
NOTE: we use umask = 113 because apparently, sshfs starts from 777 instead of 666, so with 113 we get 664 which is the desired file permission.
But what now happens is that we see all files and directories as if they are 664. We browse in Nautilus to /mnt and:
Right click - New File (newfile) --- TEST 5
Right click - New Folder (newfolder) --- TEST 6
Copy and paste a 777 file from our local client --- TEST 7
So let's check on the command line:
user@client:/mnt$ ls -l
total 8
-rw-rw-r-- 1 user 1007 3 Feb 5 18:05 copyfile (664)
-rw-rw-r-- 1 user 1007 0 Feb 5 18:15 newfile (664)
drw-rw-r-- 1 user 1007 4096 Feb 5 18:15 newfolder (664)
But hey, let's check this same folder on the server-side:
user@server:/home$ ls -l
total 8
-rwxrwxrwx 1 user uploaders 3 2011-02-05 18:05 copyfile (777)
-rw------- 1 user uploaders 0 2011-02-05 18:15 newfile (600)
drwx--x--x 2 user uploaders 4096 2011-02-05 18:15 newfolder (711)
What?! The REAL file permissions are very different from what we see in Nautilus. So does this umask on sshfs just create a 'filter' that shows unreal
file permissions? And I tried to open a file from another user but the same group that had real 600 permissions but 644 'fake' permissions, and I could
still not read this, so what good is this filter??
5. UMASK IS ALL ABOUT FILES. BUT WHAT ABOUT DIRECTORIES?
From my tests I can see that the umask that is being applied also somehow influences the directory permissions. However, I want my files to be 664 (002)
and my directories to be 771 (006). So is it possible to have a different umask for directories?
6. PERHAPS UMASK/PAM IS REALLY COOL, BUT UBUNTU IS JUST BUGGY?
On the one hand, I have read topics of people that have had success with PAM/UMASK and Ubuntu. On the other hand,
I have found many older and newer bugs regarding umask/PAM/fuse on Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/241198
https://bugs.launchpad.net/ubuntu/+source/fuse/+bug/239792
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/253096
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/549172
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314796
So I do not know what to believe anymore. Should I just give up? Would ACL solve all my problems?
Or do I have again problems using Ubuntu?
One word of caution with backups using
tar. Red Hat /Centos distributions
support acls in the tar program but
Ubuntu does not support acls when
backing up. This means that all acls
will be lost when you create a backup.
I am very willing to upgrade to Ubuntu 10.04 if that would solve my problems too, but first I want to understand what is happening.
