Setting a umask for chrooted sftp users

It took at least an hour of Googling to find this solution, so I’m posting it here for reference and hopefully it could help others.

If you’re not using a chroot jail, you can follow this:

This involves setting the umask in sshd_config in the Subsystem line, however, it doesn’t work for chrooted users as the umask gets set, ssh session starts and the chroot recreates the umask info (this is how I understand it, anyway).

So if you’re using chroot for users, you probably have something similar to this in your sshd_config:

Subsystem sftp internal-sftp

UsePAM yes

Match user username
ChrootDirectory /path/to/directory
ForceCommand internal-sftp

You should then edit the file /etc/pam.d/sshd and add the following:

session optional umask=0002

And in /etc/profile, if it’s not already there (it was for me on Ubuntu 10.10), add the following at the bottom:

umask 022

And that’s it.  internal-sftp does not execute any shells so it won’t take any notice of information in profile/login/rc etc, however, pam authentication is used so the configuration is seen there instead (unless, of course, you’ve turned it off).


Leave a Reply

Your email address will not be published. Required fields are marked *