# internal-sftp + umask via pam not working and -u only partly

## noclear2000

hi   :Smile: 

I am really stuck here. 

I am receiving (a lot of small) files that are uploaded from lots of different clients via sftp (jail-rooted).

I need to have a minimum of 660 (write access via group) on that files for later processing by a different user which shares the group 'upload' with the sftp-upload users.

With default umask 0022 (server + clients, clients "out of my reach"), the files uploaded/created are as 644. (write missing on group 'upload'). As there are lots of users using different scripts and clients to upload file I need to ensure the g+w is there on server side.

This is why i added '-u' option in the relevant match clause of sshd_config (you can also see the comments where i played around with wrappers around sftp-server etc):

```

# override default of no subsystems

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

Subsystem       sftp    internal-sftp -l VERBOSE

#Subsystem       sftp    /opt/sftp-server-wrapper.sh

# Example of overriding settings on a per-user basis

#Match User anoncvs

#       X11Forwarding no

#       AllowTcpForwarding no

#       ForceCommand cvs server

Match Group upload

ChrootDirectory %h

ForceCommand internal-sftp -l VERBOSE -u 0012

AllowTcpForwarding no

```

At first glance this seems to work. When uploading with WinSCP@Win7 to the server the files are created as 664 now which is good.

But this seems to be working with Windows clients only (probably because there is no permission on client side to be "transferred" to server). 

When using sftp cli-interface on Linux client to upload files it is not working. A 644 file on client results in a 644 file on server (not honoring my umask setting).

A 777 file from client results in 765 on server. Looks like the umask setting is not raising permissions but only lowering them on g & o.

I searched a lot in the internet and found the following things:

login.conf, set umask based on group

/etc/pam.d/sshd, set umask by appending "session    optional     pam_umask.so umask=0012"

wrapper script for Subsystem that sets umask before exec of sftp-server

Nothing worked for me. 

My current workaround is setting permissions after upload using inotify/incrond. But that doesn't scale good enough. During peak upload times it can happen that incrond is overly busy and thus /etc/init.d/incrond status returns non-zero exit value which makes my cluster switch. I now only check incrond process is running to avoid the switches. Still incrond is a bottleneck.

Any input on how to get files uploaded with umask-specified permissions would be very appreciated.

Thanks a lot in advance!

Cheers

----------

