blocks|key|1637957|text|我不知道AIX，但是您应该能够在OpenSSH中做到这一点，尽管它需要根权限。您需要为sftp的服务器组件编写一个包装器脚本。包装器需要有选择地为用户更改umask，然后为sftp服务器更改exec。对于选择用户，我倾向于：|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|1637958|id+--user|code-block|syntax|javascript|1637959|如果要创建像/usr/local/sbin/sftp-wrapper这样的脚本，则可以从以下位置更改/etc/ssh/sshd_config中的sftp子系统的配置：|1637960|Subsystem+++sftp++++/usr/libexec/openssh/sftp-server|1637961|至：|1637962|Subsystem+++sftp++++/usr/local/sbin/sftp-wrapper|1637963|除了编写包装器脚本之外，每个步骤都需要根权限。|1637964|注释:我相信当您通过sftp连接时，sftp服务器是由root启动的。因此，默认的umask来源于root的umask。我不相信有一种方法可以从用户的配置中对特定用户进行更改。如果要为所有用户更改sftp+umask，可以对sftp子系统配置进行更简单的修改：|1637965|Subsystem+++sftp++++/bin/bash+-c+‘umask+002;+/usr/libexec/openssh/sftp-server’|1637966|entityMap^0|25|5|2N|4|0|0|6|S|1E|K|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|10|8|@$9|11|A|12|B|C]|$9|13|A|14|B|C]]|D|@]|E|$]]|$1|F|3|G|5|H|7|15|8|@]|D|@]|E|$I|J]]|$1|K|3|L|5|6|7|16|8|@$9|17|A|18|B|C]|$9|19|A|1A|B|C]]|D|@]|E|$]]|$1|M|3|N|5|H|7|1B|8|@]|D|@]|E|$I|J]]|$1|O|3|P|5|6|7|1C|8|@]|D|@]|E|$]]|$1|Q|3|R|5|H|7|1D|8|@]|D|@]|E|$I|J]]|$1|S|3|T|5|6|7|1E|8|@]|D|@]|E|$]]|$1|U|3|V|5|6|7|1F|8|@]|D|@]|E|$]]|$1|W|3|X|5|H|7|1G|8|@]|D|@]|E|$I|J]]|$1|Y|3|-4|5|6|7|1H|8|@]|D|@]|E|$]]]|Z|$]]

I don't know about AIX, but you should be able to do this with OpenSSH, though it will require root permissions. You'll need to write a wrapper script for the server component of sftp. The wrapper will need to selectively change the <code>umask</code> for the user and then <code>exec</code> the sftp server. For selecting a user, I'm partial to:

<pre><code>id --user
</code></pre>

If you were to create such a script as <code>/usr/local/sbin/sftp-wrapper</code>, you would then change the configuration for the sftp subsystem in <code>/etc/ssh/sshd_config</code> from:

<pre><code>Subsystem sftp /usr/libexec/openssh/sftp-server
</code></pre>

to:

<pre><code>Subsystem sftp /usr/local/sbin/sftp-wrapper
</code></pre>

Beyond writing the wrapper script, every step will require root permissions.

Comment: I believe the sftp server is started by root when you connect via sftp. Thus, the default umask derives from root's umask. I don't believe there is a way of altering this for a particular user from within that user's configuration. If you want to change the sftp umask for all users, you can make a simpler modification to the sftp subsystem configuration:

<pre><code>Subsystem sftp /bin/bash -c ‘umask 002; /usr/libexec/openssh/sftp-server’
</code></pre>

blocks|key|1637968|text|在十进制中，一个一百一十一的umask将产生73个小数，我们将在这个例子中使用它。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1637969|#vi+/etc/ssh/sshd_config|code-block|syntax|javascript|1637970|在文件末尾添加以下两行，以便为一组用户配置sftp。|1637971|Match+Group++<group+name>
ForceCommand++internal-sftp++-u+73|1637972|或者，在文件末尾添加以下两行，以便为单个用户配置sftp。|1637973|Match+User+++<user+name>
ForceCommand++internal-sftp+-u+73|1637974|重新启动sshd守护进程。|1637975|#stopsrc+-s+sshd

#startsrc+-s+sshd|1637976|这会有帮助的:+Aamod+chandra|1637977|entityMap^0|0|0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|W|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|X|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|Y|8|@]|9|@]|A|$]]|$1|I|3|J|5|D|7|Z|8|@]|9|@]|A|$E|F]]|$1|K|3|L|5|6|7|10|8|@]|9|@]|A|$]]|$1|M|3|N|5|D|7|11|8|@]|9|@]|A|$E|F]]|$1|O|3|P|5|6|7|12|8|@]|9|@]|A|$]]|$1|Q|3|R|5|D|7|13|8|@]|9|@]|A|$E|F]]|$1|S|3|T|5|6|7|14|8|@]|9|@]|A|$]]|$1|U|3|-4|5|6|7|15|8|@]|9|@]|A|$]]]|V|$]]

A umask of 111 in Octal will yield 73 in decimal, which we 
will use in this example.

<pre><code>#vi /etc/ssh/sshd_config
</code></pre>

Add the following two lines at the end of the file to configure the sftp 
umask for a group of users.

<pre><code>Match Group &lt;group name&gt;
ForceCommand internal-sftp -u 73
</code></pre>

Or, add the following two lines at the end of the file to configure the sftp umask for a single user.

<pre><code>Match User &lt;user name&gt;
ForceCommand internal-sftp -u 73
</code></pre>

Restart the sshd daemon.

<pre><code>#stopsrc -s sshd

#startsrc -s sshd
</code></pre>

this will help : Aamod chandra

blocks|key|3332856|text|用户可以在没有根用户参与的情况下自行设置，无论是来自客户端(每个连接)还是服务器(每个公钥)。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|3332857|从客户端，我们可以使用-s选项覆盖用于处理sftp交互的远程命令：|offset|length|style|CODE|3332858|sftp+-s+'umask+0777;+env+PATH=${PATH}:/usr/libexec/openssh:/usr/lib/ssh:/usr/sbin+sftp-server'+username@hostname|code-block|syntax|javascript|3332859|(如果您的sftp-server没有安装在上面提到的位置之一，也可以将它添加到路径中)。|3332860|在服务器上，每当使用特定公钥进行连接时，我们都可以强制运行特定的命令。这将在所有连接上运行，而不仅仅是针对SFTP的连接，而且我们可以检查$SSH_ORIGINAL_COMMAND环境变量，以决定采取何种操作。向authorized_keys中添加如下内容可能就足以满足您的需要：|3332861|command="umask+0777;+if+[[+-n+$SSH_ORIGINAL_COMMAND+]];+then+eval+$SSH_ORIGINAL_COMMAND;+else+exec+bash+--login;+fi"+ssh-rsa+AAAAB3NzaC1yc2EA...|3332862|(替换您最喜欢的shell来处理任何交互式登录，并注意如果您使用tcsh，您将不得不修改它以适应该shell的语法)。|3332863|entityMap^0|0|B|2|0|0|5|B|0|1X|L|2Y|F|0|0|W|4|0^^$0|@$1|2|3|4|5|6|7|W|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|X|8|@$D|Y|E|Z|F|G]]|9|@]|A|$]]|$1|H|3|I|5|J|7|10|8|@]|9|@]|A|$K|L]]|$1|M|3|N|5|6|7|11|8|@$D|12|E|13|F|G]]|9|@]|A|$]]|$1|O|3|P|5|6|7|14|8|@$D|15|E|16|F|G]|$D|17|E|18|F|G]]|9|@]|A|$]]|$1|Q|3|R|5|J|7|19|8|@]|9|@]|A|$K|L]]|$1|S|3|T|5|6|7|1A|8|@$D|1B|E|1C|F|G]]|9|@]|A|$]]|$1|U|3|-4|5|6|7|1D|8|@]|9|@]|A|$]]]|V|$]]

The user can set this up themselves without the involvement of root, either from the client (per connection) or on the server (per public key).

From the client, we can override the remote command used to handle the sftp interaction using the <code>-s</code> option:

<pre class="lang-sh prettyprint-override"><code>sftp -s 'umask 0777; env PATH=${PATH}:/usr/libexec/openssh:/usr/lib/ssh:/usr/sbin sftp-server' username@hostname
</code></pre>

(If your <code>sftp-server</code> is not installed in one of the locations mentioned above, add that to the path also).

From the server, we can force a particular command to be run whenever a connection is made using a particular public key. This will get run for all connections, not just those for SFTP, but we can inspect the <code>$SSH_ORIGINAL_COMMAND</code> environment variable to decide what course of action to take. Adding something like the following to <code>authorized_keys</code> is probably sufficient for your needs:

<pre><code>command="umask 0777; if [[ -n $SSH_ORIGINAL_COMMAND ]]; then eval $SSH_ORIGINAL_COMMAND; else exec bash --login; fi" ssh-rsa AAAAB3NzaC1yc2EA...
</code></pre>

(substituting whichever is your favourite shell to handle any interactive logins, and noting that if you use <code>tcsh</code> you'll have to modify this to suit that shell's syntax).

blocks|key|3373381|text|对我来说效果很好。但是，需要进行一些研究，因为您提供的是文档的摘录。在我的例子中，一个具体的例子是在/etc/ssh/sshd_config的末尾放置两个连续行|type|unstyled|depth|inlineStyleRanges|entityRanges|data|3373382|Match+Group+www-data
ForceCommand+internal-sftp+-u+2|code-block|syntax|javascript|3373383|在我的例子中，我想要做的是，如果组中的'www-data‘登录到'002’(小数点中的2)，则将umask设置为‘002’(小数中的2)。|3373384|还有一个选项可以使用env。变量SSH_ORIGINAL_COMMAND而不是“内部sftp”，但是我没有时间去追求它。|3373385|entityMap^0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|M|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|N|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|O|8|@]|9|@]|A|$]]|$1|I|3|J|5|6|7|P|8|@]|9|@]|A|$]]|$1|K|3|-4|5|6|7|Q|8|@]|9|@]|A|$]]]|L|$]]

Worked great for me. However, needed a bit of research because what you provided is an extract from docs. A specific example in my case would be to put two consecutive lines at the end of /etc/ssh/sshd_config

<pre><code>Match Group www-data
ForceCommand internal-sftp -u 2
</code></pre>

In my case what I wanted to do is to set umask to '002' (2 in decimal) if someone in group 'www-data' logs in.

There is also an option to use env. variable SSH_ORIGINAL_COMMAND instead of 'internal-sftp', but I did not have time to pursue that.

blocks|key|3373396|text|我不知道为什么下面的台词对我不起作用：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|3373397|*比赛组|3373398|ForceCommand++internal-sftp++-u+73|code-block|syntax|javascript|3373399|最后，在SUSE+11.3上添加“-u+0002”。|3373400|*Subsystem+sftp+/usr/lib64/ssh/sftp-server+**-u+0002***|3373401|现在，专用用户只能使用公钥登录：|3373402|Match+User+nappcpr,+Group+iwcopy

++++PasswordAuthentication+no

++++PubkeyAuthentication+yes

++++**KbdInteractiveAuthentication+no**|3373403|entityMap^0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|S|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|T|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|U|8|@]|9|@]|A|$G|H]]|$1|I|3|J|5|6|7|V|8|@]|9|@]|A|$]]|$1|K|3|L|5|F|7|W|8|@]|9|@]|A|$G|H]]|$1|M|3|N|5|6|7|X|8|@]|9|@]|A|$]]|$1|O|3|P|5|F|7|Y|8|@]|9|@]|A|$G|H]]|$1|Q|3|-4|5|6|7|Z|8|@]|9|@]|A|$]]]|R|$]]

I don't know why below lines do not work for me:

*Match Group 

<pre><code>ForceCommand internal-sftp -u 73
</code></pre>

At last add '-u 0002' for Subsystem works fine on SUSE 11.3:

<pre><code>*Subsystem sftp /usr/lib64/ssh/sftp-server **-u 0002***
</code></pre>

and now specifiled user can only login with public key:

<pre><code>Match User nappcpr, Group iwcopy

 PasswordAuthentication no

 PubkeyAuthentication yes

 **KbdInteractiveAuthentication no**
</code></pre>

Could anyone tell me how to set the <code>umask</code>for a single <code>sftp</code> user? Worth mentioning is a IBM AIX...

Adding <code>umask 002</code> to that user's <code>.profile</code> didn't work... (the goal is that this user files are accesible to people from the same group).

I've seen somehowto's around editing the sftpd configs, though I want to set it for one user only, so I expected to find something that didn't need root access.

thanks!

f.

Set umask for a sftp account?

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋 

腾讯云代码助手

CODING DevOps

Cloud Studio

SDK中心

API中心

命令行工具

有人能告诉我如何为单个umask用户设置sftp吗？值得一提的是IBM .将umask 002添加到用户的.profile中不起作用.(目标是使来自同一组的人可以访问该用户文件)。我已经看到了一些编辑sftpd吐露的方法，虽然我只想为一个用户设置它，所以我希望找到一些不需要根访问的东西。谢谢!f.

问设置sftp帐户的umask？
EN

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问设置sftp帐户的umask？EN