[scponly] scponly and umask
Joshua Ball
sciolizer at gmail.com
Mon Jan 28 18:03:59 EST 2008
UPDATE:
I created another PAM chroot where the shell was bash, and it was as
immune to my umask attempts as the accounts using scponly. So I guess
the problem is with pam chroots, not with scponly. If you still have
ideas, then I'll be glad to hear them, but otherwise, my apologies for
posting to the wrong list.
Josh "Ua" Bal
On 1/28/08, Joshua Ball <sciolizer at gmail.com> wrote:
> Greetings,
>
> We have a setup on our server where some of our users use scponly as
> their shell, and the scponly binary is kept in a PAM-controlled
> chroot. (I am aware that there are security limitations to this, but
> the concern is more about simplicity of interface than about security.
> It would not be disastrous if our users managed to execute bash.)
>
> I want the default umask to be 0002. Most importantly, I want uploaded
> files and newly created folders to have g+rwx permissions. (It is ok
> if the user decides to chmod the files later to something more
> restrictive.)
>
> According to
> <https://lists.ccs.neu.edu/pipermail/scponly/2004-June/000556.html>,
> this is beyond scponly's control, but I am at my whit's end trying to
> figure out how else to change the umask. The things I have tried:
>
> - Adding "umask 002" to ~/.ssh/rc
>
> - Adding "umask 002" to /etc/ssh/sshrc
>
> - Changing the Subsystem sftp line in /etc/ssh/sshd_config to point to
> the shell script:
> #!/usr/bin/env bash
> umask 007
> exec /usr/lib/openssh/sftp-server
>
> - Patching ssh with the sftplogging patch, and adding "Umask 0002" to
> /etc/ssh/sshd_config file.
>
> Some of the techniques work for regular accounts, but none of them
> work for the accounts using scponly as their shell.
>
> Any help would be appreciated.
>
> Josh "Ua" Ball
>
More information about the scponly
mailing list