# sftp chroot and umask



## vh (Mar 8, 2013)

Folks, gurus and pundits,

I have set up a chrooted sftp environment that works fine. In the login.conf file, I set the umask for the sftp users class (there is only one) at (0)007, so I expect transferred files to be stored with permissions 770.

However, I do not get always 770 permissions. What I get seems to be a logical and between the source (local permissions) and the (remote) umask set in login.conf. Is that correct? Any clue on how to bypass this (strange?) behavior?

Thanks a lot,
Vincent


----------



## mix_room (Mar 8, 2013)

When I was setting it up I explicitly forced the sftp-subsystem into a umask. 

In sshd_config


```
Match User sftp-user
        ChrootDirectory /home/sftp-user
        ForceCommand    internal-sftp -u 007 -f AUTH -l VERBOSE
```

This was the only way I found to get the right permissions.


----------



## vh (Mar 8, 2013)

Hi! Thanks a lot for your answer.


```
Match User sftp-user
        ChrootDirectory /home/sftp-user
        ForceCommand    internal-sftp -u 007 -f AUTH -l VERBOSE
```

I tried and got the same behavior: e.g if on my local machine I have:


```
-rw-r--r--  â€¦   setup.py
```

after transferring with umask 007 I get:


```
-rw-r-----  â€¦ setup.py
```

That is to say a mask of the original permissions with sshd_config umask. Could it be a trick of the sftp client?

V.


----------



## mix_room (Mar 11, 2013)

What is your sftp-subsystem set to? 

In my sshd_config:

```
# override default of no subsystems
Subsystem       sftp    internal-sftp -f AUTH -l VERBOSE
```


----------



## vh (Mar 13, 2013)

mix_room said:
			
		

> What is your sftp-subsystem set to?
> 
> In my sshd_config:
> 
> ...



I just have this:


```
# override default of no subsystems
Subsystem       sftp    internal-sftp
```

But the default configuration is overridden for the user Iâ€™m testing:


```
Match User catalogue
        ChrootDirectory /home/chroot
        ForceCommand    internal-sftp -u 007 -f AUTH -l VERBOSE
        X11Forwarding no
        AllowTcpForwarding no
```

Thanks for your help!
Vincent


----------

