The suggestion found at these links works for me:
- How to setup ssh's umask for all type of connections
- http://ubuntuforums.org/showthread.php?t=1107974#5
Summary: Use PAM to inject the umask, using the following line in /etc/pam.d/sshd
session optional pam_umask.so umask=0027
However this only works for taking away permissiveness on the files/directories in question. i.e. I found it to work, but only to further restrict the umask.
For example, setting the umask to 0077 works.
However, increasing permissiveness, such as allowing default group write access, does not work.
There seems to be some underlying default umask that I cannot override.
I have tried changing the umask in the following places, as well:
- /etc/init.d/ssh => Doesn't work unless I upgrade to OpenSSH 5.4, which is not going to happen (there is an additional directive to set umask for the internal-sftp option in the newest OpenSSH)
- /etc/init/ssh.conf => didn't work
- /etc/login.defs => didn't work
- /etc/pam.d/sshd => didn't work
- /etc/profile=> didn't work. Profile is not hit by SFTP since it isn't an interactive shell
- /etc/ssh/sshd_config => didn't work
None worked. How can I allow more permissive masking for OpenSSH Chrooted SFTP?
Requirements:
- Works with configuration only (i.e. no patching, no distro upgrades)
- Works for Ubuntu 10.04LTS
- Works for OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
Best Answer
Use the right tool for the job. Upgrade to a version of SSH that provides the functionality you need. Would you get dialup Internet and then complain that you needed 10Mbps? No, you'd go buy DSL. Same thing here.