thr3ads.net - openssh bugs - [Bug 1584] New: umask setting in sshd [Apr 2009]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.mindrot.org

2009-Apr-02 07:50 UTC

[Bug 1584] New: umask setting in sshd

https://bugzilla.mindrot.org/show_bug.cgi?id=1584

           Summary: umask setting in sshd
           Product: Portable OpenSSH
           Version: 5.2p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: leo.baltus at omroep.nl


We just upgraded from openssh-5.0p1 to openssh-5.2p1 (linux) to find
out 
that sshd changes its umask to drop group-write permissions.

We deliberatly set umask 002 prior to starting sshd to allow
group-writeable files to be created.

I am not sure why this is done, but it breaks our setup and also breaks
expected behaviour. Also I could not find any discussion on the list in
the months leading up to this change, it only seems to be documented in
the ChangeLog:

20080615
[...]
   - dtucker at cvs.openbsd.org 2008/06/14 17:07:11
     [sshd.c]
     ensure default umask disallows at least group and world write; ok
djm@

The packaged opensshd.init.in also assumes umask can be set prior to
starting sshd.

Therefor I propose to either undo this change (patch), or make it
configurable in sshd_config.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2009-Jul-31 01:53 UTC

head link

[Bug 1584] umask setting in sshd

https://bugzilla.mindrot.org/show_bug.cgi?id=1584


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org




--- Comment #1 from Damien Miller <djm at mindrot.org>  2009-07-31
11:53:18 ---
What behaviour are you are expecting and what is this breaking for you?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2009-Jul-31 07:29 UTC

head link

[Bug 1584] umask setting in sshd

https://bugzilla.mindrot.org/show_bug.cgi?id=1584





--- Comment #2 from Leo Baltus <leo.baltus at omroep.nl>  2009-07-31
17:29:12 ---
Hi Damien,

I am expecting to either have a umask setting in the configuration
file, or, even better, to not change the umask so sshd will use the
umask from the session that started it.

On certain uploadservers we would like users to have a umask 002 by
default. so that uploaded files from, say, windows will have group
write permission. These users are often collaborating with others and
have no clue about permissions.

The current behaviour is a hard change in the software and no means to
change it in configuration, that's an unfortunate combination.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2009-Aug-20 13:24 UTC

head link

[Bug 1584] umask setting in sshd

https://bugzilla.mindrot.org/show_bug.cgi?id=1584


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au


--- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2009-08-20
23:24:50 EST ---
(In reply to comment #2)> On certain uploadservers we would like users to have a umask 002 by
> default. so that uploaded files from, say, windows will have group
> write permission. These users are often collaborating with others and
> have no clue about permissions.
So you're talking about the umask of the eventual user's shell?  or an
sftp-only session?  Can you set it in whatever shell startup you have?

The reason for the change was that the sshd server itself could also
create world writeable files when started with a permissive umask (eg
the sshd.pid file).

If it is sftp and you're using the external sftp server you could work
around it by pointing "Subsystem sftp" in sshd_config to a shell
wrapper that just sets the umask and execs the real sftp-server.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2009-Aug-25 15:25 UTC

head link

[Bug 1584] umask setting in sshd

https://bugzilla.mindrot.org/show_bug.cgi?id=1584



--- Comment #4 from Leo Baltus <leo.baltus at omroep.nl> 2009-08-26
01:25:25 EST ---
I am talking about both shell and sftp sessions.

If a permissive umask would result in a writable pid file, then I feel
the problem is with the umask and not with opensshd.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2009-Oct-06 04:12 UTC

head link

[Bug 1584] umask setting in sshd

https://bugzilla.mindrot.org/show_bug.cgi?id=1584

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX

--- Comment #5 from Damien Miller <djm at mindrot.org> 2009-10-06 15:12:57
EST ---
OpenSSH 5.4 will include an option to set an explicit umask for sftp
sessions and there are a number of ways that a user may control their
umask for shell/scp sessions (shell init files, PAM, etc.) We really
don't want sshd to run with a loose or non-deterministic umask, so I
think this bug can be closed.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2010-Apr-16 05:51 UTC

head link

[Bug 1584] umask setting in sshd

https://bugzilla.mindrot.org/show_bug.cgi?id=1584

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> 2010-04-16 15:51:16
EST ---
Mass move of bugs RESOLVED->CLOSED following the release of
openssh-5.5p1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

Apparently Analagous Threads

Search for more maybe matching threads

openssh bugs - Apr 2009 - [Bug 1584] New: umask setting in sshd

[Bug 1584] New: umask setting in sshd

[Bug 1584] umask setting in sshd

[Bug 1584] umask setting in sshd

[Bug 1584] umask setting in sshd

[Bug 1584] umask setting in sshd

[Bug 1584] umask setting in sshd

[Bug 1584] umask setting in sshd

Apparently Analagous Threads