logo
Published on john.parnefjord.se (http://john.parnefjord.se)

Setting file permissions for a team that uses SFTP

By johnp
Created 2009-08-21 20:48

For production systems it's often best to deploy code automatically from a source code versioning system, like Subversion or CVS, using Ant, Nant or whatever. But sometimes it's handy for a group of users to be able to upload files straight to a server from their own machines. This story is about how one can setup the appropriate permissions for a team who wants to upload files to an Ubuntu/Debian server using SFTP. This is tested on Ubuntu 8.0.4 LTS and using WinSCP as SFTP-client from a Windows XP.

Getting everyone to be able to publish is easy enough - add all users to the www-data group, well that is how to do it on Debian and flavors thereof. For example to add john to the www-data group just run: 

adduser john www-data

Fine, now john can publish files in the /var/www-directory, assuming that the www-data group has write permissions to the directory. Unfortunately the files belong to the wrong owner and group. For example, if I upload a file the owner and group of the file becomes something like this: 

-rw-r--r-- 1 john john  357 2009-08-21 21:02 index.php

The consequence is that other users can read the file but not edit. Not much for team work, is it?

What we want to achieve is that all files, uploaded by any in the team, will have the user as owner and www-data as group. By setting the proper permissions on a directory, all contained files and subdirectories will inherit the group from this directory. In this case we want all files and subdirectories that are added to the directory /var/www to have www-data as group: 

sudo chmod g+s /var/www

Uploading the file again to /var/www and checking the permissions will show the result: 

-rw-r--r-- 1 john www-data  357 2009-08-21 21:02 index.php

That is great! But wait a minute, the file is still just readable, not writable by any other of the team members. As a first thought you may be tempted to modify the umask in /etc/login.defs or /etc/profile to something more appropriate for this case, for example 012. But that will be futile if you are using SFTP to transfer the files to the server. SFTP doesn't honour the umask in any of these files. Instead you have to create a wrapper script that sets the umask for SFTP.

Create a new file called /usr/lib/openssh/sftp-server.sh and add the following snippet (uncomment the echo command if anything goes wrong to see if script is really executed): 

#!/bin/bash
#/bin/echo `/bin/date` > /tmp/sftp-test.txt
#/bin/echo 'Starting SFTP server from wrapper script to set correct umask...' >> /tmp/sftp-test.txt
umask 0002;
/usr/lib/openssh/sftp-server

Set execute permissions and correct owner and group for the wrapper: 

chmod 755  /usr/lib/openssh/sftp-server.sh
chown root:root  /usr/lib/openssh/sftp-server.sh

Now edit /etc/ssh/sshd_config and change the line 

Subsystem sftp /usr/lib/openssh/sftp-server

to 

Subsystem sftp /usr/lib/openssh/sftp-server.sh

Reload ssh: 

/etc/init.d/ssh reload 
Now, do a test by disconnect and reconnect using SFTP and upload the file once again. The result should looksomething like this: 
-rw-rw-r-- 1 john www-data  357 2009-08-21 21:02 index.php
Now all members of the www-data group, that is the publishing team, will be able to edit each others files. It must be said that the permissions can be set in the SFTP-client as well, but if the team is fairly large it will just be an administrative burden to teach each team member how they should do.
Source URL:
http://john.parnefjord.se/node/62