SUMMARY: SFTP and umask and enhanced security (only using shadow passwords)
From: Garsha, Adam (adam.garsha_at_marquette.edu)
Date: 07/26/05
- Previous message: Garsha, Adam: "SFTP and umask and enhanced security (only using shadow passwords)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 26 Jul 2005 07:43:26 -0500 To: tru64-unix-managers@ornl.gov
Thanks to Ann Majeske.
Original Question:
After moving to use shadow passwords, our sftp users now end up creating
files with mode -rw------- (600).
When users actually log in via ssh and create files locally, the files
are instead -rw-r--r-- (644); this also used to be true for sftp prior
to using shadow passwords.
In /etc/profile the umask is set to 022. So, my working theory is that
enhanced security changed the default umask from 022 to 077 and that
sftp does not run commands in /etc/profile.
1.) What do you think about this theory.
2.) Do you know a way to force the sshd daemon to make sftp use a
certain umask and/or run /etc/profile?
3.) Do you know a reasonable way to change the default system umask to
022?
Consensus:
1.) Yes, Enhanced security changes the default umask to 077
2.) No way to force SSH.COM based sshd daemon to make sftp use a certain
umask
3.) No reasonable way to change default system umask back to 022 when
using Enhanced security.
Resolution:
1.) Short term, we have reverted back to BASE security
2.) Next, I'll build an openssh kit for 5.1B-3 (with tcp_wrapper support
and SftpUmask patch), test, deploy, and move back to ENHANCED C2.
- Previous message: Garsha, Adam: "SFTP and umask and enhanced security (only using shadow passwords)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
