How to force permission rights when sending files over SFTP

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux
    • sftp

Issue

  • When uploading files using SFTP, permissions are always set to 644 and I want 664 instead

  • Alternately, I don't want the permissions of the files I upload to have the user's umask applied.

    $ sftp mysftpserver
sftp> !ls -l myfile
-rw-rw-r--. 1 rmetrich rmetrich 0 Dec 15 09:49 myfile
sftp> put myfile
Uploading myfile to /root/myfile
myfile                                                                              100%    0     0.0KB/s   00:00    
sftp> ls -l
-rw-r--r--  1 rmetrich rmetrich 0 Dec 15 09:50 myfile

  • When uploading files using SFTP and preserving permissions, permissions are always set to source file's permissions and I want 664 instead

    $ sftp mysftpserver
sftp> !ls -l myfile
-rw-r--r--. 1 rmetrich rmetrich 0 Dec 15 09:49 myfile
sftp> put -p myfile
Uploading myfile to /root/myfile
myfile                                                                              100%    0     0.0KB/s   00:00    
sftp> ls -l
-rw-r--r--  1 rmetrich rmetrich 0 Dec 15 09:50 myfile

Resolution

  • Permissions can be forced on the server side, by modifying the /etc/ssh/sshd_config configuration, as shown below:

    # grep Subsystem /etc/ssh/sshd_config
Subsystem sftp /usr/libexec/openssh/sftp-server -m 664 -u 002

  • Alternately, if you don't want to force a mode, but instead just want to clear the umask for scp/sftp only so that permissions are unaltered during transmission, you can specify something like:

    # grep Subsystem /etc/ssh/sshd_config
Subsystem sftp /usr/libexec/openssh/sftp-server -u 000

Refer to sftp-server(8) manpage for details.

Root Cause

  • When using no special flag, sftp creates the remote file with permissions 0644 (rw-r--r--), then applies the remote user's umask, which can only restrict initial permissions, resulting in the highest possible permissions being 0644
  • When using the -p flag (preserve permissions), sftp creates the remote file with permissions from source file, then applies the remote user's umask, which can only restrict initial permissions, resulting in the highest possible permissions being permissions from source file
    • Sending a file with initial permissions rw-r--r-- will result in permissions rw-r--r-- if umask is set to 0002
    • Sending a file with initial permissions rw-rw-rw- will result in permissions rw-rw-r-- if umask is set to 0002

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments