SFTP umask

What a pain in the butt it was to figure out how to set the default umask on new files sent via sftp. I was on a ghost hunt and found references to PermitUserEnvironment and the environment file but that didn’t work as advertised. Setting umask in your shell configuration files (.profile, .bashrc, etc…) just doesn’t work.

The quick and sure fire way to get this working is creating a tiny wrapper around the sftp-server binary. This is a three-step process:

1. The first step is to change your /etc/ssh/sshd_config (or equivalent) file to point to the new wrapper that you’ll create: Subsystem sftp /usr/lib/openssh/sftp-server.sh Notice that the name of the ‘subsystem’ is sftp-server.sh. It was sftp-server before the change.
2. The second step is to write a three-line wrapper around sftp-server that will be called sftp-server.sh. #!/bin/bash umask 117 /usr/lib/openssh/sftp-server
3. Now just reload the sshd server: $ sudo /etc/init.d/ssh reload

And that’s it!

This solution does not work for scp.