Thursday, November 8, 2007

Setting Basic File Permissions in a Non-Interactive SFTP/SCP Shell

Hey There,

I'm sure you've probably had this happen once and again. A user moves files to a box regularly, but can't be specific about how, and the files always have permissions he/she didn't expect. For instance, they may be 640 instead of the 644 expected, so the files aren't world-readable like he/she wants.

A cursory check of /etc/profile, /etc/.login, /etc/default/login, /users/home/directory/.profile, etc all show a umask of 022. Meaning all new files should be created as 644. Yet, they're still coming up 640.

In these sorts of cases, you're probably dealing with someone who's moving files using a transfer mechanism that doesn't open up an interactive shell. Common utilities like SCP and SFTP do this by design.

The most assured way to fix this problem quickly and simply (and, through security-by-ignorance on a per-user basis ;) is to just find your sshd_config file (usually in /etc, /usr/local/etc, /usr/local/openssh/etc or wherever your configuration places them) and check for a setting called:

PermitUserEnvironment no

All you need to do is change that "no" to a "yes" and then do the following, to easily change the permissions for that user's upcoming transfers.

1. Kill -1 (Kill -HUP) the sshd process. You can find the PID of the sshd process using ps -ef or looking in a state file, like /var/run/ Be sure to check /var/adm/messages, or wherever you log your ssh activity to, to be sure that the server restarts, as it needs to in order to re-read it's configuration file. Of course, if it crashes, you won't need to read a file to find out!

2. Create a file for the user (or su to the user and create the file as the user) in his/her .ssh directory in his/her home directory called, simply, "environment"

touch /users/home/directory/.ssh/environment
chmod 640 /users/home/directory/.ssh/environment

3. Then add one line to that file and your SCP/SFTP permissons problems should disappear.


Of course, 002 is a pretty generous umask, but you can set this to whatever is appropriate for your needs.

Now you have control of new file permissions in both interactive and non-interactive shells!

, Mike