[scponly] scponly and umask

Kaleb Pederson kibab at icehouse.net
Thu Aug 24 04:05:50 EDT 2006 

That's actually a problematic issue.  Unless you go with the sftp logging 
patch, which allows you to control things like the umask and permissions on 
uploaded files, the clients can pretty much do anything they want with the 
permissions of uploaded files.

There are a couple of possibilities:

- Use the SFTP Logging patch
- Patch scponly so that it issues a umask call itself
- Define permissions so that the folders are setgid to the group in question
- Use ACEs (specifically default ACEs) to manage permissions on the files

The first and the last of the above are really the best solutions.

Even if a file is setgid, it doesn't prevent the permissions from being 
changed to something that will make a file unreadable to someone else in the 
same group.  Similarly, even if you set scponly to use a umask call, certain 
clients always set the permission bits :(.  Thus, the middle two are really 
non-solutions but do help in certain cases.

See http://sftplogging.sourceforge.net/ for more information about the sftp 
logging patch.  For the ACEs, Google is your friend ;)

Hope that helps.

--Kaleb


On Thursday 24 August 2006 12:11 am, mephi wrote:
> I've got a directory on a server that a group of users have as a secure
> storage area. I've used scponly to make sure they all can only access the
> one area, this works really well (thankyou =).
>
>
>
> I'm trying to set a umask of 007 for the area so that the users can all
> change any file/directory that's been uploaded, but it's not working.
>
>
>
> I've made a wrapper for sftp-server as detailed in the thread here:
>
> http://www.derkeiler.com/Newsgroups/comp.security.ssh/2005-09/0094.html
>
>
>
> This works for non-scponly users, but not those who have scponly as their
> shell. I've also tried wrapping the executable in the scponly area with the
> script, but that didn't work.
>
>
>
> Does anyone know how to make scponly work with umask?
>
>
>
> Cheers,
>
>
>
> Matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20060824/e359f8f8/attachment.bin

More information about the scponly mailing list