• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue SFTP creates files with 0600 perms instead of 0644

QWeb Ric

QWeb Ric

Basic Pleskian
I've just set up a new server for a client using a single domain Plesk license. Usually we use multi-domain licenses which of course include subscriptions and plans, so the settings I'm seeing in this install are a bit more restrictive but as far as I can tell everything is configured as per our usual.

We normally disable the FTP ports and just use SFTP for website access, but thus have the "Access to the server over SSH" settings set to "/bin/bash (chrooted)" or in some cases, just "/bin/bash".

On this particular server though, if I connect via SFTP with that setting set to either chrooted or not, files uploaded are being given permissions of 0600 and thus aren't accessible via a web browser. If I instead connect over FTP, the files are created properly.

I can't for the life of me find a reason for this. Any thoughts please?

Plesk version 18.0.29. Server is CentOS 8.
 
In a post on the internet I found this on it:

"you can set the umask for all sftp logins in sshd's config file (/etc/ssh/sshd_config on my Debian box). For that add -u 022 to the sftp subsystem line like so:
Subsystem sftp /usr/lib/openssh/sftp-server -u 022
From man sftp-server:
-u umask
Sets an explicit umask(2) to be applied to newly-created files and directo‐
ries, instead of the user's default mask."
 
Thanks @Peter Debik but this doesn't seem to be working for me on CentOS 8. I'm wondering whether CentOS 8 has some kind of security modules running that override user-set umasks or something, but comparing the various SSH / PAM etc configs with a working CentOS 7 box doesn't seem to bring up any clues. I'm also certain we have at least one CentOS 8 box somewhere that's running with SFTP connections working just fine. All of our boxes run Plesk and near identical configurations...

@KeeB we've had to resort to just leaving regular FTP open for now unfortunately.
 
Peter Debik said:
In a post on the internet I found this on it:

"you can set the umask for all sftp logins in sshd's config file (/etc/ssh/sshd_config on my Debian box). For that add -u 022 to the sftp subsystem line like so:
Subsystem sftp /usr/lib/openssh/sftp-server -u 022
From man sftp-server:
-u umask
Sets an explicit umask(2) to be applied to newly-created files and directo‐
ries, instead of the user's default mask."
Click to expand...
Hi - Thanks for the info.
 
QWeb Ric said:
Thanks @Peter Debik but this doesn't seem to be working for me on CentOS 8. I'm wondering whether CentOS 8 has some kind of security modules running that override user-set umasks or something, but comparing the various SSH / PAM etc configs with a working CentOS 7 box doesn't seem to bring up any clues. I'm also certain we have at least one CentOS 8 box somewhere that's running with SFTP connections working just fine. All of our boxes run Plesk and near identical configurations...

@KeeB we've had to resort to just leaving regular FTP open for now unfortunately.
Click to expand...
Thanks for the reply.
Peter's suggestion actually worked for me but had to restart the server to have it take effect. However, I still have a related problem it seems:... when I unzip a file (as a system user not root), then I have the same problem - all the files have 0600 perms. Not sure where to fix that?
 
QWeb Ric said:
Thanks @Peter Debik but this doesn't seem to be working for me on CentOS 8. I'm wondering whether CentOS 8 has some kind of security modules running that override user-set umasks or something, but comparing the various SSH / PAM etc configs with a working CentOS 7 box doesn't seem to bring up any clues. I'm also certain we have at least one CentOS 8 box somewhere that's running with SFTP connections working just fine. All of our boxes run Plesk and near identical configurations...

@KeeB we've had to resort to just leaving regular FTP open for now unfortunately.
Click to expand...
Actually found this: Default file permissions on ssh and sftp

I decided to re-image the server with CentOs7 just to see if it is a CentOs8 'feature'

Will update here in a while

Update - I tried with CentOS7 and Ubuntu 20.04 and both seem to be OK.

I also think I found a workaround for the unzip/file creation problem but not sure if it is a good thing to do:

Around line 64 of /etc/login.defs ... commenting out the line "UMASK 077" as below makes it default to 022

# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
#UMASK 077

However, in the end, I decided to go with CentOS7 as I have more confidence in it for now :)
 
Last edited:
You must log in or register to reply here.

Similar threads

A
Question Cant connect with SFTP user and login in Plesk ( amazon lightsail)
Replies
19
Views
641
Sebahat.hadzhi
Sebahat.hadzhi
QWeb Ric
Resolved Removing PHP from chroot template
Replies
5
Views
508
QWeb Ric
QWeb Ric
UHF
Resolved SFTP Connection Issue
Replies
2
Views
3K
UHF
UHF
M
Resolved Additional FTP account shutting right down after opening (via FTP client)
2
Replies
21
Views
6K
trialotto
T
CobraArbok
Question What kind of script for FTP and where to save the file.
Replies
0
Views
613
CobraArbok
CobraArbok
Back
Top