How to setup ssh's umask for all type of connections
Solution 1:
I can suggest trying 2 things:
- pam_umask
- LD_PRELOAD wrapper (self-written?)
Solution 2:
Here is a solution that will let you do what you want on a per-user basis. It uses only native sshd features and does not require mucking about with locally maintained patches. This solution takes advantage of the ForceCommand behavior of sshd to insert an environment-setup script into every ssh connection, and then run the original command.
First, create a script somewhere on your system with the following contents:
#!/bin/sh
umask 0027
exec /bin/sh -c "${SSH_ORIGINAL_COMMAND:-$SHELL}"
For the purposes of this example I'll assume you've called this /usr/bin/umask-wrapper.
Now, you have a few options in setting this up. If you want this to be a mandatory configuration for all users (which seems a little unlikely), you can modify your sshd configuration to include the following:
ForceCommand /usr/bin/umask-wrapper
If you only want this to apply to some users, you can use a Match block (this goes at the end of your sshd_config):
Match User user1,user2
ForceCommand /usr/bin/umask-wrapper
If you want this to be user-controllable behavior, then you can use the command= option in an authorized_key file to select this behavior for specific keys. For example, while testing this out I added an entry to my authorized_keys file that looks something like this:
command="/home/lars/bin/umask-wrapper" ssh-rsa AAAAB3NzaC1 ... umask-test
And here are some results of my test:
Using ssh with no command:
localhost$ ssh remotehost
remotehost$ touch umask-test/file1
remotehost$ ls -l umask-test/file1
-rw-r-----. 1 lars lars 0 Feb 2 06:02 file1
Using ssh with a command:
localhost$ ssh remotehost touch umask-test/file2
localhost$ ssh remotehost ls -l umask-test/file2
-rw-r-----. 1 lars lars 0 Feb 2 06:03 file2
Using scp:
localhost$ touch file3
localhost$ ls -l file3
-rw-r--r-- 1 lars staff 0 Feb 2 06:03 file3
localhost$ scp file3 remotehost:umask-test/file3
localhost$ ssh remotehost ls -l umask-test/file3
-rw-r-----. 1 lars lars 0 Feb 2 06:03 file3
Using sftp:
localhost$ sftp remotehost
sftp> put file3 umask-test/file4
sftp> ls -l umask-test/file4
-rw-r----- 0 500 500 0 Feb 2 06:05 umask-test/file4
And there you have it. I believe this is the behavior you were looking for. If you have any questions about this solution I would be happy to provide additional details.
Solution 3:
I took a slightly different approach to centralize the setting.
This was added to /etc/pam.d/common-session:
session optional pam_umask.so
This was modified in /etc/login.defs:
UMASK 0027
Solution 4:
I've gotten pam_umask to work with ssh, but not with scp or sftp.
The wrapper method also does nothing for sftp or scp. I'm not sure 027 is a good example since most distros have umask set to that already. Try with 002 and see if that works.