• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue SFTP creates files with 0600 perms instead of 0644

QWeb Ric

Basic Pleskian
I've just set up a new server for a client using a single domain Plesk license. Usually we use multi-domain licenses which of course include subscriptions and plans, so the settings I'm seeing in this install are a bit more restrictive but as far as I can tell everything is configured as per our usual.

We normally disable the FTP ports and just use SFTP for website access, but thus have the "Access to the server over SSH" settings set to "/bin/bash (chrooted)" or in some cases, just "/bin/bash".

On this particular server though, if I connect via SFTP with that setting set to either chrooted or not, files uploaded are being given permissions of 0600 and thus aren't accessible via a web browser. If I instead connect over FTP, the files are created properly.

I can't for the life of me find a reason for this. Any thoughts please?

Plesk version 18.0.29. Server is CentOS 8.
 
In a post on the internet I found this on it:

"you can set the umask for all sftp logins in sshd's config file (/etc/ssh/sshd_config on my Debian box). For that add -u 022 to the sftp subsystem line like so:
Subsystem sftp /usr/lib/openssh/sftp-server -u 022
From man sftp-server:
-u umask
Sets an explicit umask(2) to be applied to newly-created files and directo‐
ries, instead of the user's default mask."
 
Thanks @Peter Debik but this doesn't seem to be working for me on CentOS 8. I'm wondering whether CentOS 8 has some kind of security modules running that override user-set umasks or something, but comparing the various SSH / PAM etc configs with a working CentOS 7 box doesn't seem to bring up any clues. I'm also certain we have at least one CentOS 8 box somewhere that's running with SFTP connections working just fine. All of our boxes run Plesk and near identical configurations...

@KeeB we've had to resort to just leaving regular FTP open for now unfortunately.
 
In a post on the internet I found this on it:

"you can set the umask for all sftp logins in sshd's config file (/etc/ssh/sshd_config on my Debian box). For that add -u 022 to the sftp subsystem line like so:
Subsystem sftp /usr/lib/openssh/sftp-server -u 022
From man sftp-server:
-u umask
Sets an explicit umask(2) to be applied to newly-created files and directo‐
ries, instead of the user's default mask."
Hi - Thanks for the info.
 
Thanks @Peter Debik but this doesn't seem to be working for me on CentOS 8. I'm wondering whether CentOS 8 has some kind of security modules running that override user-set umasks or something, but comparing the various SSH / PAM etc configs with a working CentOS 7 box doesn't seem to bring up any clues. I'm also certain we have at least one CentOS 8 box somewhere that's running with SFTP connections working just fine. All of our boxes run Plesk and near identical configurations...

@KeeB we've had to resort to just leaving regular FTP open for now unfortunately.
Thanks for the reply.
Peter's suggestion actually worked for me but had to restart the server to have it take effect. However, I still have a related problem it seems:... when I unzip a file (as a system user not root), then I have the same problem - all the files have 0600 perms. Not sure where to fix that?
 
Thanks @Peter Debik but this doesn't seem to be working for me on CentOS 8. I'm wondering whether CentOS 8 has some kind of security modules running that override user-set umasks or something, but comparing the various SSH / PAM etc configs with a working CentOS 7 box doesn't seem to bring up any clues. I'm also certain we have at least one CentOS 8 box somewhere that's running with SFTP connections working just fine. All of our boxes run Plesk and near identical configurations...

@KeeB we've had to resort to just leaving regular FTP open for now unfortunately.
Actually found this: Default file permissions on ssh and sftp

I decided to re-image the server with CentOs7 just to see if it is a CentOs8 'feature'

Will update here in a while

Update - I tried with CentOS7 and Ubuntu 20.04 and both seem to be OK.

I also think I found a workaround for the unzip/file creation problem but not sure if it is a good thing to do:

Around line 64 of /etc/login.defs ... commenting out the line "UMASK 077" as below makes it default to 022

# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
#UMASK 077

However, in the end, I decided to go with CentOS7 as I have more confidence in it for now :)
 
Last edited:
Back
Top