Configuring Default File Permissions for SFTP/SSH Transfers on Ubuntu Server (g+rw/g+rwx with setgid Inheritance)


9 views

When managing an Ubuntu 10.04 server (though these methods work on newer versions too), we often need to ensure files transferred via SFTP/SSH automatically receive specific permissions. The requirement here is to set g+rw for regular files and g+rwx for directories, while maintaining proper group ownership through setgid (chmod g+s).

The primary mechanism for this is the umask setting, which determines default permissions for newly created files. Here's how to implement it:

# For SFTP/SSH sessions, add this to /etc/ssh/sshd_config:
Subsystem sftp internal-sftp -u 002

Then restart SSH:

sudo service ssh restart

To maintain group ownership, set the setgid bit on parent directories:

sudo chmod g+s /path/to/shared_directory
sudo chown :shared_group /path/to/shared_directory

For more comprehensive control, modify the PAM configuration:

# Edit /etc/pam.d/sshd (add before @include common-session)
session optional pam_umask.so umask=0002

After making changes, test with:

touch testfile
mkdir testdir
ls -ld testfile testdir

Expected output should show:
-rw-rw-r-- for files and drwxrwsr-x for directories.

If permissions aren't applying correctly:

  1. Verify the umask is set in both SSH and PAM configurations
  2. Check for ACLs that might override permissions (getfacl /path)
  3. Ensure parent directories have proper setgid bits

When managing an Ubuntu 10.04 server (or any Linux system), SFTP/SSH file transfers often create files with overly restrictive default permissions. This becomes problematic when multiple team members need group access to newly uploaded files.

By default, new files typically get created with:

-rw-r----- 1 user group 0 Jan 1 12:00 newfile.txt
drwxr-x--- 2 user group 4096 Jan 1 12:00 newdir/

Notice the missing group write permissions (g+w) on both files and directories.

We'll implement three complementary measures:

1. Setting the Correct umask

Add this to /etc/ssh/sshd_config:

# Force specific umask for SFTP/SSH sessions
Subsystem sftp internal-sftp -u 002

2. Directory setgid for Group Inheritance

For existing directories (and add to your deployment scripts):

find /path/to/shared/dir -type d -exec chmod g+s {} \;

3. Permanent umask Configuration

Add to /etc/profile or user-specific ~/.bashrc:

# Set default umask for interactive shells
if [ "$(id -gn)" = "$(id -un)" ]; then
    umask 002
else
    umask 002
fi

After making changes, restart SSH and test:

sudo service ssh restart
sftp user@yourserver
> put testfile.txt
> mkdir testdir

Expected permissions should now be:

-rw-rw-r-- 1 user group 0 Jan 1 12:00 testfile.txt
drwxrwsr-x 2 user group 4096 Jan 1 12:00 testdir/
  • For systems with pam_umask, configure /etc/login.defs
  • ACLs (setfacl) can provide more granular control
  • Consider filesystem mount options like dmask and fmask

If permissions aren't applying as expected:

# Check effective umask:
umask

# Verify sshd is using the correct config:
sshd -T | grep -i umask

# Confirm parent directory has setgid:
ls -ld /path/to/parent