[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#649115: openssh-server: umask setting with internal-sftp does not work correctly

Package: openssh-server
Version: 1:5.5p1-6+squeeze1
Severity: normal
Tags: upstream

I changed the default umask of 0022 to 0007 for internal-sftp by defining this
line in the sshd configuration file /etc/sshd_config:

  Subsystem sftp internal-sftp -u 0007

This works like expected:

  sftp> mkdir directory
  sftp> ls -l
  drwxrwx---    2 user      group      4096 Nov 17 19:28 directory

But I did some tests with other umask settings and got strange results. I used
"strace" for looking at the umask system call of the sshd process while opening
the sftp connection:

  $ strace -f -p $(ps -ef |grep /usr/sbin/sshd| grep -v grep | awk '{print
$2}') 2>&1 | grep umask

For the above working example I got this result:

  [pid 11078] umask(077)                  = 022
  [pid 11078] umask(022)                  = 077
  [pid 11091] umask(07)                   = 022

Some examples with incorrect behaviour:

  Subsystem sftp internal-sftp -u 0077

  drw-rw--w-    2 user      group      4096 Nov 17 19:31 directory

  [pid 10939] umask(077)                  = 022
  [pid 10939] umask(022)                  = 077
  [pid 10949] umask(0115)                 = 022

  Subsystem sftp internal-sftp -u 0027

  drwxr--r--    2 user      group      4096 Nov 17 19:33 directory

  [pid 10735] umask(077)                  = 022
  [pid 10735] umask(022)                  = 077
  [pid 10745] umask(033)                  = 022

  Subsystem sftp internal-sftp -u 0067

  drw-rwxr--     2 user      group      4096 Nov 17 19:39 directory

  [pid 10897] umask(077)                  = 022
  [pid 10897] umask(022)                  = 077
  [pid 10907] umask(0103)                 = 022

The mode which ist set on newly created directories, suits to the last of the
three umask settings, which strace shows. But this is very different to my

-- System Information:
Debian Release: 6.0.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-server depends on:
ii  adduser             3.112+nmu2           add and remove users and groups
ii  debconf [debconf-2.             Debian configuration management sy
ii  dpkg                  Debian package management system
ii  libc6               2.11.2-10            Embedded GNU C Library: Shared lib
ii  libcomerr2          1.41.12-4stable1     common error description library
ii  libgssapi-krb5-2    1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - k
ii  libkrb5-3           1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries
ii  libpam-modules      1.1.1-6.1+squeeze1   Pluggable Authentication Modules f
ii  libpam-runtime      1.1.1-6.1+squeeze1   Runtime support for the PAM librar
ii  libpam0g            1.1.1-6.1+squeeze1   Pluggable Authentication Modules l
ii  libselinux1         2.0.96-1             SELinux runtime shared libraries
ii  libssl0.9.8         0.9.8o-4squeeze4     SSL shared libraries
ii  libwrap0            7.6.q-19             Wietse Venema's TCP wrappers libra
ii  lsb-base            3.2-23.2squeeze1     Linux Standard Base 3.2 init scrip
ii  openssh-blacklist   0.4.1                list of default blacklisted OpenSS
ii  openssh-client      1:5.5p1-6+squeeze1   secure shell (SSH) client, for sec
ii  procps              1:3.2.8-9            /proc file system utilities
ii  zlib1g              1:     compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.4-1  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                   <none>     (no description available)
pn  rssh                          <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)
pn  ufw                           <none>     (no description available)

-- debconf information excluded

Reply to: