Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: nofxite03
nofxite03 Author
User level: Level 1
4 points

Default group write for SFTP users in Mountain Lion Server

I have set up OS X Mountain Lion Server as a file server for our mac-based department. Many of us are used to having SFTP access to avoid the slowness of AFP over VPN. I am unable to find any way to get SFTP files to be created with group write permissions which obviously causes problems when someone wants to modify someone else's files. As it exists now, sftping a file results in a file being created with the correct owner and group but only 644 permissions, not 664 permissions as desired.


A few details about our setup:

- Users are all authenticated via Active Directory which the Mac server is joined to.

- The parent folder and all sub-folders are owned by the proper Active Directory group

- No ACLs are currently set.

- creating a file via the terminal as one of the users results in 664 permissions (as expected)


I have tried:


1) modifying the umask of the sftp server by adding a umask key to /System/Library/LaunchDaemons/ssh.plist

<key>umask</key>

<integer>002</integer>

I think this should be the preferred way of making this change (although I would like to understand the security implications of changing the umask for sshd rather than just the sftp subsystem). It appears that this does have some effect. I am able to further restrict the permissions by changing the umask value (e.g. setting a umask of 007 results in a file with permissions of 640 rather than the default of 644). However, even setting a umask of 000 still results in a file with permissions 644, not 664 like I'm looking to get.


2) modifying the umask by passing the umask to the sftp-server executable into /etc/sshd_config

Subsystem sftp /usr/libexec/sftp-server -u 002

No umask value seems to have any affect at all.


What am I missing here? There must be a way to get the sftp-server to allow files to be created with 664 permissions (and new directories with 775 permissions).


Thanks!


Other helpful links:

- http://support.apple.com/kb/HT2202

- http://jeff.robbins.ws/articles/setting-the-umask-for-sftp-transactions

- http://sysadmin.circularvale.com/server-config/setting-a-umask-for-chrooted-sftp -users/

OS X Mountain Lion (10.8.2)

Posted on Jan 27, 2013 8:11 PM

Reply
2 replies
User profile for user: nofxite03
nofxite03 Author
User level: Level 1
4 points

Feb 1, 2013 6:45 PM in response to nofxite03

Thanks gracoat for the suggestion but no luck. Turned out that implementing the proper ACLs did the trick and fixed both a couple of nagging file-sharing issues as well as appropriate SFTP permissions. I just had assumed ACLs wouldn't be supported via SFTP but it seems to be working for us on 10.8 Mountain Lion.


We added the following ACL to all directories in the share with it set to permissions propogate (run from the directory to add the ACL to):


find . -type d -exec chmod +a 'group:Domain Admins:allow:list,add_file,search,add_subdirectory,delete_child,readattr,writea ttr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit' {} \;


This ended up with the result of the entire group having access to the appropriate files.

Reply

Default group write for SFTP users in Mountain Lion Server

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up