Security
cancel
Showing results for 
Search instead for 
Did you mean: 

Shadow passwords, enhanced security, and sftp umask

Adam Garsha
Valued Contributor

Shadow passwords, enhanced security, and sftp umask

After moving to use shadow passwords, our sftp users now end up creating files with mode -rw------- (600).

When users actually log in via ssh and create files locally, the files are instead -rw-r--r-- (644); this also used to be true for sftp prior to using shadow passwords.

In /etc/profile the umask is set to 022. So, my working theory is that enhanced security changed the default umask from 022 to 077 and that sftp does not run commands in /etc/profile.

1.) What do you think about this theory.
2.) Do you know a way to force the sshd daemon to make sftp use a certain umask and/or run /etc/profile?
3.) Do you know a reasonable way to change the default system umask to 022?
4.) Do you have notes on how to back out of using shadow passwords and minimal Enhanced security?
2 REPLIES
Adam Garsha
Valued Contributor

Re: Shadow passwords, enhanced security, and sftp umask

Consensus:

1.) Yes, Enhanced security changes the default umask to 077
2.) No way to force SSH.COM based sshd daemon to make sftp use a certain umask
3.) No reasonable way to change default system umask back to 022 when using Enhanced security.
Adam Garsha
Valued Contributor

Re: Shadow passwords, enhanced security, and sftp umask

see above.