troubleshooting Question

UMask settings in Ubuntu SFTP Server are ignored

Avatar of rspit
rspit asked on
LinuxLinux SecuritySSH / Telnet Software
7 Comments1 Solution2383 ViewsLast Modified:
We have built an SFTP server with OpenSSH which has local Linux user accounts as well as PAM based Active Directory accounts. We will use this SFTP server for our customers (the local linux user) to share files with our employees (who login with their Active Directory account). We have CHRooted every local linux user and an Active Directory group to a  specific folder (the client’s folder). We use "internal-sftp" mode. The problem is when a client uses the “SFTP” application to upload files, our Active Directory based employees cannot open the files. We have to run CHMod each time. The umask settings we have established are not used.

We don't have this issue if the customer uses another client other than SFTP (such as FileZilla). However, we cannot force our client to use another application

Details:
1 - Customer upload some files to our SFTP server, below are the files I want to upload:
[root@CLIENT]# ls -l
total 12
-rw------- 1 root root 12 Mar  9 16:13 2.txt   //only root can read and write to this file

Uploading file
[root@nagios test]# sftp test@SFTP-test
Connecting to SFTP-Test
Password:
sftp> ls
Submission
sftp> cd Submission
sftp> put 2.txt
Uploading 2.txt to /Client/Submission/2.txt
2.txt                                         100%   12     0.0KB/s   00:00    
sftp> ls -l   //after upload the file the file permission keeps unchanged in our SFTP server. Only the user who uploads files can access it.
-rw-------    1 1505     1001           12 Mar  9 09:55 2.txt

2 - If our employee wants to access this file, the file permission should be -rw----r--
4 - In Linux system, we use umask to define the default permission for creating a new file.
         example: umask = 022, when we create a file, the file permission is -rw-r--r--(644)

*** SFTP Configuration (Cleansed of confidential) ***


# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2


#Privilege Separation is turned on for security UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes

# Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) #Overwritten by lwidentity: ChallengeResponseAuthentication no ChallengeResponseAuthentication yes

# Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables AcceptEnv LANG LC_*

Subsystem sftp internal-sftp

UsePAM yes
KbdInteractiveAuthentication yes

Match group group1
        ChrootDirectory /home/ftp/group1
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 1 Answer and 7 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 7 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros