Bug 1344614

Summary: sftp -m modifies umask and breaks permissions on new directories
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Jelen <jjelen>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED ERRATA QA Contact: Stanislav Zidek <szidek>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: aburch, nmavrogi, pvrabec, szidek
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-6.6.1p1-28.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1341747 Environment:
Last Closed: 2016-11-03 20:20:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Jelen 2016-06-10 07:41:34 UTC 
This is also applicable on RHEL7.2 and therefore it should get fixed also there.

+++ This bug was initially created as a clone of Bug #1341747 +++

Description of problem:

sftp -m doesn't work as advertised.

Reference- https://access.redhat.com/solutions/32851

Version-Release number of selected component (if applicable):
openssh-server-5.3p1-118.1.el6_8.x86_64

How reproducible:
Always.

Steps to Reproduce:

As root: su -

01. yum install openssh openssh-server openssh-clients
02. useradd testuser
   # grep testuser /etc/passwd
   testuser:x:502:502::/home/testuser:/bin/bash
03. passwd testuser
04. vim /etc/ssh/sshd_config 
   modify the file as shown in *figure 1*
05. service sshd restart
06. # mkdir -p /www/server/docs ; chown testuser /www/server/docs ; chgrp testuser /www/server/docs
   compare permissions to *figure 2*
07. su - testuser
   $ pwd
   /home/testuser
08. mkdir test ; cd test
   $ pwd
   /home/testuser/test
09. touch 1 2 3
   $ ls
   1  2  3
10. setenforce 0
    disable selinux to simplify the permissions test
11. $ sftp localhost
   Connecting to localhost...
   testuser@localhost's password: 
12. sftp> cd docs
13. sftp> put 1
14. sftp> mkdir a
15. sftp> exit
16. # pwd
   /www/server/docs
17. # ls -la
total 12
   drwxr-xr-x. 3 testuser testuser 4096 Jun  1 12:19 .
   drwxr-xr-x. 3 root     root     4096 Jun  1 11:57 ..
   -rw-rw-r--. 1 testuser testuser    0 Jun  1 12:18 1 <<<
   drwxrwxrwx. 2 testuser testuser 4096 Jun  1 12:19 b <<<
18. $ umask
    0002
    The umask for files and directories have not been 
    changed from the RHEL 6 default


figure 1: 

# cat /etc/ssh/sshd_config

Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes

Subsystem     sftp    internal-sftp

Match user testuser
   ChrootDirectory /www/server
   AllowTCPForwarding no
   X11Forwarding no
   ForceCommand internal-sftp -m 664

figure 2:

# ls -la /www/server/
total 12
drwxr-xr-x. 3 root     root     4096 Jun  1 11:57 .
drwxr-xr-x. 3 root     root     4096 Jun  1 11:57 ..
drwxr-xr-x. 3 testuser testuser 4096 Jun  1 12:12 docs

Actual results:
File (1) got the right permissions (664), but the directory (b) has elevated write permissions (777).

Expected results:
664 permissions

Additional info:
Oddly, if you continue to create subsiquent directories, they will have the correct permissions.

sftp> mkdir c
sftp> mkdir d

...
drwxr-xr-x. 2 testuser testuser 4096 Jun  1 12:28 c
drwxr-xr-x. 2 testuser testuser 4096 Jun  1 12:29 d

--- Additional comment from Jakub Jelen on 2016-06-09 13:48 CEST ---

Ouch. That is embarrassing.

If you would create the directory first and the file later, it would get the expected permissions. But you did the file first and then the umask is overwritten (for file creation) and not restored afterward, which is certainly a bug. It probably slipped through both me and our testing.

Tested patch is available.
Comment 5 errata-xmlrpc 2016-11-03 20:20:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2588.html