System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Where to configure sftp umask?

bbeuchaw
Occasional Contributor

Where to configure sftp umask?

Hello,

We have 2 HP-UX B.11.11 servers, that we thought were configured identically WRT ssh and sftp, but one of them creates files that are PUT to it through sftp with perms of 644 (the preferred perms) and one creates files that are PUT to it through sftp with perms of 600 (not the preferred way). The "bad" file perms started happening a couple of weeks ago and we're not sure if one team of sys admins made any changes (we've asked the other team, but haven't gotten an answer back yet), but we can't find any evidence of anything relevant changing.

Both systems are running Secure Shell A.04.40.006, so I don't think the SftpUmask config option is available in that version, and it's not found in /opt/ssh/etc/sshd_config on either system, so nothing changed in that respect.


# ssh -v
OpenSSH_4.4p1-hpn12v11, OpenSSL 0.9.7l 28 Sep 2006
HP-UX Secure Shell-A.04.40.006, HP-UX Secure Shell version

Here is the sftp line from /opt/ssh/etc/sshd_config on both systems:

Subsystem sftp /opt/ssh/libexec/sftp-server

Both systems have an identical /opt/ssh/etc/sshd_config with the exception of Permit EmptyPasswords, LogLevel, and PermitRootLogin (which shouldn't affect sftp's umask).

I know sftp doesn't source .profile or /etc/profile, and the umask isn't set like it is for ftp in /etc/inetd.conf, so what could've changed and where? Have we overlooked something simple or is there something somewhere that we just don't know about?

The files that brought this to our attention are PUT from a Windows system, and are part of some automated process (which hasn't changed, and from what I've seen, they can't even set perms in the tool they use, which is Sun JavaCaps)

Please let me know if you need any more info, thanks very much!
6 REPLIES
Steven E. Protter
Exalted Contributor

Re: Where to configure sftp umask?

Shalom,

Check the following files:

ssh_config
sshd_config
#for default umask.

In the absence of that:
/etc/profile
.profile
# Any files sourced there. If not set in the ssh configuration, the permissions may respect the user profile, though for sftp I doubt it.

See this link:

http://jeff.robbins.ws/articles/setting-the-umask-for-sftp-transactions

http://www.derkeiler.com/Newsgroups/comp.security.ssh/2005-09/0078.html

http://lists.mindrot.org/pipermail/openssh-unix-dev/2009-January/027118.html

These may apply to Linux, but if they use openssh configuration files, they will will on any NX platform.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
bbeuchaw
Occasional Contributor

Re: Where to configure sftp umask?

No umask in ssh_config or sshd_config, already checked that, but here's proof. :-)

# grep -i umask /opt/ssh/etc/ssh_config
# grep -i umask /opt/ssh/etc/sshd_config
#

No files sourced in ~myuserid/.profile, but I did put umask 022 in ~myuserid/.profile just to check and that didn't affect the perms on the created file, it was still 600, since .profile-type files don't get sourced during sftp logins (from what little I know about sftp).

Read the links, thanks, that is a long-shot option that I really don't want to implement unless absolutely necessary.

What's confusing us is that something affecting the umask for sftp changed, but if there's nowhere that certain something can be changed on the HP-UX server, how'd it get changed? I'm tempted to go back (for about the 5th time since they keep denying it :-) ) to the app group that PUTs the file to make absolutely sure *nothing* changed on their end.
Tim Nelson
Honored Contributor

Re: Where to configure sftp umask?

It is a server side configuration.

#grep mask sshd_config
SftpUmask 002


Florian Heigl (new acc)
Honored Contributor

Re: Where to configure sftp umask?

The sftp umask goes to sshd_config, but it depends on the version of HP-UX Secure Shell whether it's supported or not. At times we've seen issues where ssh coredumped because it didn't know the setting BUT that was more than two years ago.

(on a side note, of course it was blamed on us for reporting it instead of the guy that rolled out an incompatible ssh version where the setting didn't work anymore :)
yesterday I stood at the edge. Today I'm one step ahead.
bbeuchaw
Occasional Contributor

Re: Where to configure sftp umask?

Thanks to the 2 new replies, but there is no SftpUMask in sshd_config, there never was and there never will be because we're running A.04.40.006 (I could try to add it, but this is a production system, and it wasn't there originally, so that wasn't what changed):

$ssh -v
OpenSSH_4.4p1-hpn12v11, OpenSSL 0.9.7l 28 Sep 2006
HP-UX Secure Shell-A.04.40.006, HP-UX Secure Shell version

And according to the release notes (http://docs.hp.com/en/5991-7494/5991-7494.pdf), SftpUMask is not supported in that release:

Unsupported Features
Starting with this version of HP-UX Secure Shell, the following
configuration directives are not supported:
â ¢ LogSftp no
â ¢ SftpLogFacility AUTH
â ¢ SftpLogLevel INFO
â ¢ SftpUMask
â ¢ SftpPermitChmod yes
â ¢ SftpPermitChown yes

Thanks though. :-(
WayneHP
Frequent Advisor

Re: Where to configure sftp umask?

1) Get the latest copy of ssh for HP-UX
I am running
root@mxpapp01# swlist |grep Secure
OpenSSL A.00.09.07m.056 Secure Network Communications Protocol
T1471AA A.05.20.014 HP-UX Secure Shell

and from ssh -v
root@mxpapp01# ssh -v
OpenSSH_5.2p1+sftpfilecontrol-v1.3-hpn13v5, OpenSSL 0.9.8k 25 Mar 2009
HP-UX Secure Shell-A.05.20.014, HP-UX Secure Shell version

2) Check UMASK in /etc/default/security
# Default umask value upon login. Note: This
# parameter controls umask(2) of all sessions
# initiated via pam_unix(5) and/or pam_hpsec(5).
# UMASK=022
UMASK=077 <---- my setting

NOTICE this is pam security for all sessions as is stated.

Also notice I have restricted my UMASK to 077.

I also edit my /etc/opt/ssh/sshd_config a.k.a /opt/ssh/etc/sshd_config

and

# sftp-server umask control
#SftpUmask
SftpUmask 022


I allow umask 022 for sftp only here if you were to scp the same file it will be created using the 077 umask from /etc/default/security

user profile umask setting will not be honored by scp or sftp.


man pam.conf
man pam.unix
man pam.hpsec
man sshd_config