openssh bugs - Mar 2018 - [Bug 2839] New: SCP 'scp -r' Does Not Honor umask When Creating Directories

https://bugzilla.mindrot.org/show_bug.cgi?id=2839

            Bug ID: 2839
           Summary: SCP 'scp -r' Does Not Honor umask When Creating
                    Directories
           Product: Portable OpenSSH
           Version: 7.2p2
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: scp
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bugeater at bugeater.org

Problem:
 'scp -r' honors the receiving side umask when creating files, but not
when creating directories.

Description and steps to reproduce:

I am trying to setup an scp receiver that allows select users, based on
ssh keys, to scp files to a specific server as a user different than
themselves. This is to satisfy access restrictions by corporate
figures. [8^) The ultimate setup would include a user's .ssh/config
file having an entry like:

Host ssh-server
  HostName=my-ssh-server
  User=receiver

Their scp command would look simple like this:

scp /tmp/file.txt ssh-server:/some/dir/file.txt

I have been following a few of the questions asked on serverfault.com
about setting umask for scp, sftp, and ssh but I find that when
creating directories, the umask is ignored and for permissions of
created dirs and subdirs. However file permissions are handled
correctly.

One example of a question I have followed for the setup.

Here's what I have done:

1: Added the following to the receiver's ~/.ssh/authorized_keys:

command="/home/receiver/bin/bash_scp_run" ssh-rsa AAA ... My SSH Key

2: Wrote the script referenced above that sets umask to 027 and logs to
a tmp file that it was executed. I also tested without this script and
the results did not show that the umask of 027 was set. In fact it
appeared that the default umask on this system was 002.

#! /bin/bash
echo "Entering ~/bin/bash_scp_run" >> /tmp/scp_log.txt
umask 027
$SSH_ORIGINAL_COMMAND

3: Ran many tests including: (Assume that all files and dirs locally
have perms of 777 so the umask should be the only limiting factor.)

3.1: scp /tmp/file.txt ssh-server:/some/dir/file.txt

Result: /some/dir/file.txt has permissions of 750 just as expected.

3.2: scp -r /tmp/dir-with-subdirs ssh-server:/some/dir/top-dir

Result: /some/dir/top-dir has permissions of 777 which is not expected.
Also /some/dir/top-dir/subdir has permissions of 777 which is also not
expected! However files at any level have permissions of 750 which is
expected.

In all cases the file /tmp/scp_log.txt showed that the umask was
successfully set in the server side script.
>From the results in 3.2 it appears that the umask is not honored when
scp creates directories but it is honored when it creates files! From
my long UNIX/Linux experience, that's not how umask is supposed to
work. This seems like an scp bug IMHO.


Thanks for looking at this!



The Veritable Bugeater

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2839

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
Created attachment 3134
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3134&action=edit
apply umask to file creation mode

The reason is that files are chmodded accounting for the umask but
directories are not.

This patch applies the umask to the incoming modes, which will mean
that both files and directories will have the correct umask when
created, which is I think the right thing to do (since it removes a
race between file creation and chmod where the files may have more
permissive modes than the umask specifies).

I'm not sure if there's any other corner cases, though.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2839

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2782


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2782
[Bug 2782] Tracking bug for OpenSSH 7.7 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2839

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2852


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2852
[Bug 2852] Tracking bug for OpenSSH 7.8 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2839

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|2782                        |

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Move to OpenSSH 7.8 tracking bug


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2782
[Bug 2782] Tracking bug for OpenSSH 7.7 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2839

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
   Attachment #3134|                            |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2839

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
Patch applied and will be in the 7.8 release.  Thanks for the report.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2839

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Close RESOLVED bugs with the release of openssh-8.0

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.