4

I have a remote sshfs filesystem mounted on /mnt/data. Following is the relevant line in /etc/fstab:

www-data@192.168.1.10:/var/www/ /mnt/data       fuse.sshfs   rw,noauto,nodev,nosuid,noexec,_netdev,allow_other,default_permissions,uid=martin,gid=martin    0   0

The files in /var/www/ on the remote system are owned by user www-data, but I am using uid=martin,gid=martin to map the ownership on the mounted filesystem to uid 1000.

When I cd to /mnt/data/ as martin, I have the correct file permissions/ownership, but I need to change the umask.

On the remote filesytem, the user www-data has umask 0027. On my local filesystem, the user martin has umask 0077. I want to keep the umask 0077 on my local files, but use 0027 on the sshfs mounted files (ie all files in /mnt/data/).

Is this even possible ?

I have tried setting acl permissions on the whole directory on the remote filesystem:

setfacl -d -m g::rx  /var/www/
setfacl -d -m o::--- /var/www/

but this has no effect on the sshfs mounted share.

Martin Vegter
  • 358
  • 75
  • 236
  • 411

1 Answers1

6

sshfs is using sftp under the hood and the umask for creation new files is handled by the remote sftp-server. You can set umask as an argument to the sftp-server in /etc/ssh/sshd_config on the server, such as

Subsystem sftp /usr/lib/openssh/sftp-server -u 027     # Debian/Ubuntu

or

Subsystem sftp /usr/libexec/openssh/sftp-server -u 027 # RHEL/Fedora

or

Subsystem sftp /usr/lib/ssh/sftp-server -u 027         # Arch

The umask settings and extended ACL are not transferred through the SFTP protocol as implemented by openssh. Also note that there is no "umask on files", but umask is always associated with running process creating the files.

Jakuje
  • 21,357
  • I have added -u 027 to the line in /etc/ssh/sshd_config, and restarted ssh, but it does not seem to have any effect. Files are created still with the old umask 0077 – Martin Vegter Jun 12 '16 at 11:44
  • Did you restart the ssh(d) service on the server? Or do you use also ForceCommand option there? – Jakuje Jun 12 '16 at 11:46
  • yes, I have restarted ssh on the server service ssh restart. What do you mean by ForceCommand option? I have no ForceCommand in /etc/ssh/sshd_config. – Martin Vegter Jun 12 '16 at 11:59
  • Also make sure that you reconnect your sshfs mount. Otherwise I don't see any reason why this should not work. Only possibility would be that the files are sent from your host with already stripped permissions (for example600) and then the umask on the server does not have any effect. You should be able to see that when running the server in debug mode (LogLevel DEBUG3). Lines request $filename: open flags $flags should tell what flags are send. – Jakuje Jun 12 '16 at 12:07
  • 2
    the -o umask=027 switch to sshfs (when used in /etc/fstab) only affects how existing files are shown on the mounted filesystem. But it does not represent the actual permissions on the remote server, nor does it affect true permissions (on the remote server) of newly created files. – Martin Vegter Jun 12 '16 at 12:24
  • For Arch Linux you can use Subsystem sftp /usr/lib/ssh/sftp-server -u 027 or Subsystem sftp internal-sftp -u 027 – MountainX Sep 24 '17 at 05:21
  • YES! "... and the umask for creation new files is handled by the remote sftp-server." This was the missing link. This solves the challenge to get proper access on the remote machine by other users, too. Thank you! – opinion_no9 Mar 27 '24 at 20:31