Bug 1344614 – sftp -m modifies umask and breaks permissions on new directories

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1344614 - sftp -m modifies umask and breaks permissions on new directories

Summary:	sftp -m modifies umask and breaks permissions on new directories

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openssh (Show other bugs)
Sub Component:
Version:	7.2
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Jakub Jelen
QA Contact:	Stanislav Zidek
Docs Contact:

URL:
Whiteboard:
Keywords:	Patch

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2016-06-10 03:41 EDT by Jakub Jelen
Modified:	2016-11-03 16:20 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	openssh-6.6.1p1-28.el7
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:	1341747
Environment:
Last Closed:	2016-11-03 16:20:23 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2588	normal	SHIPPED_LIVE	Moderate: openssh security, bug fix, and enhancement update	2016-11-03 08:09:45 EDT

Groups: None (edit)

Description Jakub Jelen 2016-06-10 03:41:34 EDT

This is also applicable on RHEL7.2 and therefore it should get fixed also there.

+++ This bug was initially created as a clone of Bug #1341747 +++

Description of problem:

sftp -m doesn't work as advertised.

Reference- https://access.redhat.com/solutions/32851

Version-Release number of selected component (if applicable):
openssh-server-5.3p1-118.1.el6_8.x86_64

How reproducible:
Always.

Steps to Reproduce:

As root: su -

01. yum install openssh openssh-server openssh-clients
02. useradd testuser
   # grep testuser /etc/passwd
   testuser:x:502:502::/home/testuser:/bin/bash
03. passwd testuser
04. vim /etc/ssh/sshd_config 
   modify the file as shown in *figure 1*
05. service sshd restart
06. # mkdir -p /www/server/docs ; chown testuser /www/server/docs ; chgrp testuser /www/server/docs
   compare permissions to *figure 2*
07. su - testuser
   $ pwd
   /home/testuser
08. mkdir test ; cd test
   $ pwd
   /home/testuser/test
09. touch 1 2 3
   $ ls
   1  2  3
10. setenforce 0
    disable selinux to simplify the permissions test
11. $ sftp localhost
   Connecting to localhost...
   testuser@localhost's password: 
12. sftp> cd docs
13. sftp> put 1
14. sftp> mkdir a
15. sftp> exit
16. # pwd
   /www/server/docs
17. # ls -la
total 12
   drwxr-xr-x. 3 testuser testuser 4096 Jun  1 12:19 .
   drwxr-xr-x. 3 root     root     4096 Jun  1 11:57 ..
   -rw-rw-r--. 1 testuser testuser    0 Jun  1 12:18 1 <<<
   drwxrwxrwx. 2 testuser testuser 4096 Jun  1 12:19 b <<<
18. $ umask
    0002
    The umask for files and directories have not been 
    changed from the RHEL 6 default


figure 1: 

# cat /etc/ssh/sshd_config

Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes

Subsystem     sftp    internal-sftp

Match user testuser
   ChrootDirectory /www/server
   AllowTCPForwarding no
   X11Forwarding no
   ForceCommand internal-sftp -m 664

figure 2:

# ls -la /www/server/
total 12
drwxr-xr-x. 3 root     root     4096 Jun  1 11:57 .
drwxr-xr-x. 3 root     root     4096 Jun  1 11:57 ..
drwxr-xr-x. 3 testuser testuser 4096 Jun  1 12:12 docs

Actual results:
File (1) got the right permissions (664), but the directory (b) has elevated write permissions (777).

Expected results:
664 permissions

Additional info:
Oddly, if you continue to create subsiquent directories, they will have the correct permissions.

sftp> mkdir c
sftp> mkdir d

...
drwxr-xr-x. 2 testuser testuser 4096 Jun  1 12:28 c
drwxr-xr-x. 2 testuser testuser 4096 Jun  1 12:29 d

--- Additional comment from Jakub Jelen on 2016-06-09 13:48 CEST ---

Ouch. That is embarrassing.

If you would create the directory first and the file later, it would get the expected permissions. But you did the file first and then the umask is overwritten (for file creation) and not restored afterward, which is certainly a bug. It probably slipped through both me and our testing.

Tested patch is available.

Comment 5 errata-xmlrpc 2016-11-03 16:20:23 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2588.html

Note You need to log in before you can comment on or make changes to this bug.