My company has a syntax in /etc/pam.d/sshd file on our SFTP server:
session optional pam_umask.so umask=444I found this command changes the permission of the uploaded file from 644 to 222 for all SFTP clients. Is that possible to do match the user in this syntax? I only want this command to be effective when a specific user uploads files and keeps 644 for the rest of the users.
I am very new to Ubuntu, any help is appreciated!
31 Answer
According to man pam_umask (libpam-modules version 1.3.1-5ubuntu4.1)1:
The PAM module tries to get the umask value from the following places in the following order: · umask= entry in the user's GECOS field · umask= argument · UMASK= entry from /etc/default/login · UMASK entry from /etc/login.defs (influenced by USERGROUPS_ENAB in /etc/login.defs)
So it should be possible to set a per-user umask for user someuser in the GECOS field, for example using
sudo chfn -o umask=0444 someuserand then either setting umask=0022 in the pam_umask entry in /etc/pam.d/sshd file - or perhaps better, omit the umask= there altogether so that other users fall back to the umask specified in the default files.
Notes:
- the order appears to be different in earlier versions, prioritizing the
umask=argument in the configuration file above that in the GECOS entry.
