[scponly] scponly and umask
Joshua Ball
sciolizer at gmail.com
Mon Jan 28 17:47:40 EST 2008
Greetings,
We have a setup on our server where some of our users use scponly as
their shell, and the scponly binary is kept in a PAM-controlled
chroot. (I am aware that there are security limitations to this, but
the concern is more about simplicity of interface than about security.
It would not be disastrous if our users managed to execute bash.)
I want the default umask to be 0002. Most importantly, I want uploaded
files and newly created folders to have g+rwx permissions. (It is ok
if the user decides to chmod the files later to something more
restrictive.)
According to <https://lists.ccs.neu.edu/pipermail/scponly/2004-June/000556.html>,
this is beyond scponly's control, but I am at my whit's end trying to
figure out how else to change the umask. The things I have tried:
- Adding "umask 002" to ~/.ssh/rc
- Adding "umask 002" to /etc/ssh/sshrc
- Changing the Subsystem sftp line in /etc/ssh/sshd_config to point to
the shell script:
#!/usr/bin/env bash
umask 007
exec /usr/lib/openssh/sftp-server
- Patching ssh with the sftplogging patch, and adding "Umask 0002" to
/etc/ssh/sshd_config file.
Some of the techniques work for regular accounts, but none of them
work for the accounts using scponly as their shell.
Any help would be appreciated.
Josh "Ua" Ball
More information about the scponly
mailing list