Network Presence Blog

The PAM module “pam_umask” (installed by default in latest Debian Linux) is very useful for setting user-by-user umask permissions that even work in the constrained/restrictive (for settings) “SFTP Chroot” environment.

The chroot environment of SFTP as provided by SSH is very restrictive in terms of the normal means in Linux for changing the default umask for a user logged in via SFTP and chrooted to a specific directory tree (which can be the common case with SFTP users), so the standard Linux means of setting umask (eg: .bashrc or profile files or other shell-based means of changing umask upon login) don’t or won’t work for chrooted SFTP users.

In order to change the default umask (for example: from 0022 to 0002 for default group write umask) for a chrooted SFTP user, the mechanism that still can affect this is the PAM sub-system of Linux, which is specifically enabled in the SSH server configuration by default.
PAM provides a “pam_umask” module (installed in Debian Linux by default) which needs to be enabled for the SSH server’s login process and this is done in the file: /etc/pam.d/sshd by adding the following line at the top of this file:

session optional pam_umask.so

The above just enables the PAM umask module and doesn’t change any system behaviour perse, so to set a specific default umask for a user once the PAM umask module is enabled, we use the GECOS field in the passwd file for the user, as mentioned in the ‘man page’ for pam_umask. To enact a “group write” umask for a user, the following command is run as root:

chfn -o "umask=0002" username

Then, if that username has the following chroot-based SFTP settings in the /etc/ssh/sshd_config SSH server configuration file, when they login to the system via SFTP protocol, they’ll have a umask that will allow (in this case) group-write permissions by default on any uploaded files and directories:

UsePAM yes

Match User username
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

FYI,
Richard.