[scponly] scponly and umask

[Ken]

I follow. Since sshd_config was definitely reloaded, and I confirmed the
instance of sshd that is listening on TCP:22 is the patched version of
5.1, and there was very little opportunity for human error in the
patching process itself, what next?

Regarding that patching process, does anything below stand out as a
potentially error-prone step?
1) obtain OpenSSH-server v5.1p source in /usr/local/src with filename
"openssh-5.1p1.tar.gz"
2) obtain sftpfilecontrol patch with filename
"openssh-5.1p1.sftpfilecontrol-v1.3.patch"
3) execute:
root at src%patch -p0 < openssh-5.1p1.sftpfilecontrol-v1.3.patch
4) ./configure;make;make install (defaults to /usr/local/sbin)
5) stop sshd, edit paths in /etc/init.d/sshd
7) backup existing sshd_config, I chose to use the sshd_config provided
by the build process which includes the sftpfilecontrol directives at
the foot
8) start sshd
9) confirm effective instance of sshd is patched version with: %netstat
-lnp;ps u -p <pid of sshd>
-or display banner-
%nc localhost 22
SSH-2.0-OpenSSH_5.1p1+sftpfilecontrol-v1.3


Ken Bingham
SysAdmin, Booksurge
(843) 760-8038 EDT



Kaleb Pederson wrote:
> That's what I thought.  So, for some reason ssh is not pickup up the
> values from sshd_config correctly (maybe it wasn't restarted, maybe it
> wasn't correctly patched, etc.).
> 
> SFTP_PERMIT_CHMOD should be 0, as should SFTP_PERMIT_CHOWN.  I didn't
> bother checking the umask environment variable, but if you can read
> source code you could look through the patch and determine what it
> should be set too as well.
> 
> You'll need to figure out how to make the sftp file controls work in a
> normal shell using the sftpfilecontrol patch.  Once you have it
> working in a normal shell, then you can switch over to the scponly
> pseudo-shell and hopefully everything will just work at that point.
>