[scponly] scponly and umask

Kaleb Pederson kaleb.pederson at gmail.com
Mon Jan 28 18:41:34 EST 2008 

Joshua,

This is actually a fairly common problem.  To make matters worse, some 
sftp/upload clients will always attempt to set certain permissions while 
others will not.

There is not currently a good solution to this.  For my installation, I 
patched scponly to set the umask with the umask function (man 3p umask) after 
the user was chrooted and setuid permissions dropped.  I'm not sure if it's 
something that's generally useful though.

The patch is as simple as adding the following line at the right place:

umask(002); /* NOTE: <sys/stat.h> is already included in scponly.c */

I hope that helps.

--Kaleb


On Monday 28 January 2008, Joshua Ball wrote:
> UPDATE:
>
> I created another PAM chroot where the shell was bash, and it was as
> immune to my umask attempts as the accounts using scponly. So I guess
> the problem is with pam chroots, not with scponly. If you still have
> ideas, then I'll be glad to hear them, but otherwise, my apologies for
> posting to the wrong list.
>
> Josh "Ua" Bal
>
> On 1/28/08, Joshua Ball <sciolizer at gmail.com> wrote:
> > Greetings,
> >
> > We have a setup on our server where some of our users use scponly as
> > their shell, and the scponly binary is kept in a PAM-controlled
> > chroot. (I am aware that there are security limitations to this, but
> > the concern is more about simplicity of interface than about security.
> > It would not be disastrous if our users managed to execute bash.)
> >
> > I want the default umask to be 0002. Most importantly, I want uploaded
> > files and newly created folders to have g+rwx permissions. (It is ok
> > if the user decides to chmod the files later to something more
> > restrictive.)
> >
> > According to
> > <https://lists.ccs.neu.edu/pipermail/scponly/2004-June/000556.html>,
> > this is beyond scponly's control, but I am at my whit's end trying to
> > figure out how else to change the umask. The things I have tried:
> >
> > - Adding "umask 002" to ~/.ssh/rc
> >
> > - Adding "umask 002" to /etc/ssh/sshrc
> >
> > - Changing the Subsystem sftp line in /etc/ssh/sshd_config to point to
> > the shell script:
> > #!/usr/bin/env bash
> > umask 007
> > exec /usr/lib/openssh/sftp-server
> >
> > - Patching ssh with the sftplogging patch, and adding "Umask 0002" to
> > /etc/ssh/sshd_config file.
> >
> > Some of the techniques work for regular accounts, but none of them
> > work for the accounts using scponly as their shell.
> >
> > Any help would be appreciated.
> >
> > Josh "Ua" Ball
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly

More information about the scponly mailing list