Set File Permissions on Uploaded Files

The options described here affect permissions on files uploaded using either sftp or scp.

Using ForceSftpFilePermissions to set Permissions

ForceSftpFilePermissions is a server keyword that you can use to specify a file permission value for all files uploaded to the server using sftp or scp. This setting overrides all other permission setting actions. It takes a three-digit permission mode value. For example:

ForceSftpFilePermissions=600

In this example, all uploaded files are set to 600 (-rw-------). In addition, if a user attempts to change the permissions on an existing file, that file is also set to 600, regardless of the permission value requested by the client user.

When ForceSftpFilePermissions is configured:

  • All uploaded files are set to the specified value regardless of whether or not a file is newly created or overwrites an existing file.
  • The system UMASK setting is ignored.
  • Any chmod command executed by an sftp user ignores the user-specified value and changes the file's permissions to the value set by ForceSftpFilePermissions.
  • The -p option is ignored if it is used on the sftp and scp command line.

In the following session, the user joe is connecting to demoserver.com, on which ForceSftpFilePermissions is set to 600. Joe's local file sample.txt has permissions=666. After the transfer, the file permissions for sample.txt on the server are set to600. Joe lists permissions for his file test.txt on the server and sees that the permissions=666. Joe attempts a chmod to change the permissions to 644. Because the ForceSftpFilePermissions value overrides Joe's value, after this command, the file permissions are set to 600.

joe@abchost:~> ls -l sample.txt

-rw-rw-rw- 1 joe users 9668 2011-06-18 17:41 sample.txt

joe@abchost:~> sftp demoserver.com

Authentication successful.

sftp> put sample.txt

sample.txt 668 9.4KB/s 00:00 100%

sftp> ls -l sample.txt

-rw------- 1 joe joe 9668 Mar 18 2011 sample.txt

sftp> ls -l test.txt

-rw-rw-rw- 1 joe joe 73 Jan 15 17:49 test.txt

sftp> chmod 644 test.txt

Changing mode on /home/joe/test.txt

sftp> ls -l test.txt

-rw------- 1 joe joe 73 Jan 15 17:49 test.txt

sftp>

Using System Settings to Control Permissions

If ForceSftpFilePermissions is not configured, the system settings determine uploaded file permissions.

If the file already exists on the server:

  • The server file permissions remain the same after a transfer; the transfer updates the contents of the file contents, but does not modify existing file permissions.

If the file does not exist on the server, the following factors affect the permissions set on the transferred file. Items lower on this list override items higher on the list.

  1. The uploaded file is given the same permissions as the source file provided there are no settings in effect on the server that prevent the creation of files with these permissions.
  2. If the client requests a UMASK value using the SetRemoteEnv keyword, those permission limits are applied.
  3. System-wide settings for new file creation are applied. (For example, these may be configured in standard system files such as /etc/default/login and /etc/environment, or using PAM.)
  4. If a UMASK value is configured in a global Reflection for Secure IT environment file (/etc/ssh2/environment), those permission limits are applied.
  5. If a UMASK value is configured in a user-specific Reflection for Secure IT environment file (~/.ssh2/environment), those permission limits are applied.

 

Note: UMASK is included by default in the list of environment variables allowed by SettableEnvironmentVars. If UMASK is not included in this list, you cannot modify UMASK values using an environment file on the server or using the client SetRemoteEnv keyword.

To set permissions on uploaded files on the server using the environment file

  1. Create (or edit) the environment file.

    To configure

    Use this path and file name

    User-specific settings

    ~/.ssh2/environment

    Global settings

    /etc/ssh2/environment
  2. Add a line specifying the UMASK value that you want to apply to uploaded files. For example:

    UMASK=066

To set permissions on uploaded files from the client using SetRemoteEnv

  • Open the client configuration file (/etc/ssh2/ssh2_config) in a text editor. Add a line using SetRemoteEnv to specify the UMASK value you want to apply to uploaded files. For example:

    SetRemoteEnv=UMASK=066

-OR-

  • Use SetRemoteEnv on the command line to specify a UMASK value. For example:

    sftp -oSetRemoteEnv=UMASK=066 joe@myserver.com

The following session shows the use of SetRemoteEnv to set permissions on a file uploaded using scp. The source file (demo) allows user, group, and world read/write access (644) on the client (abchost). After the upload, the file allows user-only read/write access (600) on the server (xyzhost).

joe@abchost:~> ls -l demo

-rw-r--r-- 1 joe users 30 2008-10-02 12:07 demo

joe@abchost:~> scp -oSetRemoteEnv=UMASK=066 demo joe@10.10.3.232:

Authentication successful.

demo 30 0.0KB/s 00:00 100%

joe@abchost:~> ssh joe@10.10.3.232

Authentication successful.

Last login: Thu Oct 2 16:56:22 2008 from 150.215.83.121

[joe@xyzhost ~]$ ls -l demo

-rw------- 1 joe joe 30 Oct 2 16:57 demo

[joe@xyzhost ~]$