How to setup ssh's umask for all type of connections
- by Unode
I've been searching for a way to setup OpenSSH's umask to 0027 in a consistent way across all connection types.
By connection types I'm referring to:
sftp
scp
ssh hostname
ssh hostname program
The difference between 3. and 4. is that the former starts a shell which usually reads the /etc/profile information while the latter doesn't.
In addition by reading this post I've became aware of the -u option that is present in newer versions of OpenSSH. However this doesn't work.
I must also add that /etc/profile now includes umask 0027.
Going point by point:
sftp - Setting -u 0027 in sshd_config as mentioned here, is not enough.
If I don't set this parameter, sftp uses by default umask 0022. This means that if I have the two files:
-rwxrwxrwx 1 user user 0 2011-01-29 02:04 execute
-rw-rw-rw- 1 user user 0 2011-01-29 02:04 read-write
When I use sftp to put them in the destination machine I actually get:
-rwxr-xr-x 1 user user 0 2011-01-29 02:04 execute
-rw-r--r-- 1 user user 0 2011-01-29 02:04 read-write
However when I set -u 0027 on sshd_config of the destination machine I actually get:
-rwxr--r-- 1 user user 0 2011-01-29 02:04 execute
-rw-r--r-- 1 user user 0 2011-01-29 02:04 read-write
which is not expected, since it should actually be:
-rwxr-x--- 1 user user 0 2011-01-29 02:04 execute
-rw-r----- 1 user user 0 2011-01-29 02:04 read-write
Anyone understands why this happens?
scp - Independently of what is setup for sftp, permissions are always umask 0022. I currently have no idea how to alter this.
ssh hostname - no problem here since the shell reads /etc/profile by default which means umask 0027 in the current setup.
ssh hostname program - same situation as scp.
In sum, setting umask on sftp alters the result but not as it should, ssh hostname works as expected reading /etc/profile and both scp and ssh hostname program seem to have umask 0022 hardcoded somewhere.
Any insight on any of the above points is welcome.
EDIT: I would like to avoid patches that require manually compiling openssh. The system is running Ubuntu Server 10.04.01 (lucid) LTS with openssh packages from maverick.
Answer: As indicated by poige, using pam_umask did the trick.
The exact changes were:
Lines added to /etc/pam.d/sshd:
# Setting UMASK for all ssh based connections (ssh, sftp, scp)
session optional pam_umask.so umask=0027
Also, in order to affect all login shells regardless of if they source /etc/profile or not, the same lines were also added to /etc/pam.d/login.
EDIT: After some of the comments I retested this issue.
At least in Ubuntu (where I tested) it seems that if the user has a different umask set in their shell's init files (.bashrc, .zshrc,...), the PAM umask is ignored and the user defined umask used instead. Changes in /etc/profile did't affect the outcome unless the user explicitly sources those changes in the init files.
It is unclear at this point if this behavior happens in all distros.
