[Solved] Wrong permissions when creating files on a sshfs mount

Soukyuu · 2016-10-18 16:55:07

Solution: currently not possible, ACLs are not supported by the sftp version used in openssh (source).

Original post below:
====================

The idea is to have a shared folder where everyone can do everything to the files without having to grant permissions explicitly, with newly created files and folders inheriting those permissions.

So far I have a directory on my linux server with the following permissions:

drwxrwsrwx+ 22 azure     sambashare  4096 Oct 16 20:55 Share

Which contains several directories with the following permissions

drwxrws---+ 30 username   sambashare 4096 Oct 16 20:55  folder

This Share directory is mounted as sshfs in fstab on my pc like this:

x-systemd.automount,idmap=user,port=12310,_netdev,identityfile=/home/azure/.ssh/id_rsa,allow_other,default_permissions,uid=1000,gid=1000,umask=0,reconnect,cache=no,kernel_cache,ciphers=arcfour,compression=no 0 0

My issue: creating a new directory from my PC sets the permissions on the server to

drwxr-sr-x+  2 azure sambashare       4096 Oct 18 18:39 test

But viewing the same on my PC shows

drwxrwxrwx 1 azure azure       4096 Oct 18 18:39 test

What did I do wrong?

I would like to be able to
- view permissions as they are remotely
- create files/folders that have rw(x) permissions for user and group by default

Is this possible?

Last edited by Soukyuu (2016-10-20 18:22:38)

Raynman · 2016-10-18 17:37:44

https://bbs.archlinux.org/viewtopic.php?id=140734

Soukyuu · 2016-10-18 18:51:57

Thanks for the pointer, but doesn't seem to be it. I've edited my /etc/ssh/sshd_config to use

Subsystem       sftp    /usr/lib/ssh/sftp-server -u 0007

So I'm expecting to see 770 permissions on new folders, but restarting both the sshd on the server and the PC and creating a new test folder and file still ends up with the same permissions as stated above (. is test folder, .. is Share):

drwxr-sr-x 1 azure sambashare  4096 18. Okt 20:44 .
drwxrws--- 1 azure sambashare 12288 18. Okt 20:44 ..
-rw-r--r-- 1 azure sambashare     2 18. Okt 20:44 test.txt

I have the feeling I'm missing something elementary here.

I managed to see the correct permissions locally by dropping the umask=0 part in /etc/fstab, though.
I now also use gid=1004 (which happens to be sambashare remotely and locally).

edit: Ok, I'm getting somewhere.

First, I purged all acls from all files:

# setfacl -b -R .

Then I've reset permissions to 770 / 660 respectively:

# find . -type d -print0 | xargs -0 chmod 770 
# find . -type f -print0 | xargs -0 chmod 660

Then I've set the group sticky bit on all directories (ensures new folders/files will have the group of the directory they are created in):

# find . -type d -print0 | xargs -0 g+s

Now I set the default ACLs as per this article

# setacl -m -u::rwx

This results in all folders created inside the Share folder to have the correct group and 770 permissions. It also results in all files created inside the Share folder to have the correct group and 660 permissions.

My only problem now is that creating files remotely via sshfs results in 750 permissions for directories and 640 for files.
Is my local umask being applied to the default permissions, (resulting in 755 / 644 initially) followed by the application of umask in sshd_config (resulting in 750 / 640)?
If yes, how do I avoid that?

edit2: Well, actually, my issue is now exactly like the issue Raynman linked above, as well as several others.
However, as mentioned at the start of this post, the fix proposed in that thread did not solve the issue for me.

Last edited by Soukyuu (2016-10-18 20:26:34)

Soukyuu · 2016-10-20 18:20:53

I think I figured out what is going on. The umask in sshd_config works, but it is applied to the incoming permissions. And the incoming permissions are the permissions I have on my PC. The g+s bit ensures that the group is set correctly, however setfacl/getfacl functionality does NOT get passed through the sftp protocol used by openssh (see here). This means that even though there are default ACLs present for the directory, they are not visible via sshfs, so they are ignored. And since the default umask is 022, it explains why the write permission is missing.

So I guess the issue is "solved". For now, I will just have to set the permissions manually.

Last edited by Soukyuu (2016-11-05 15:00:35)

Arch Linux

#1 2016-10-18 16:55:07

[Solved] Wrong permissions when creating files on a sshfs mount

#2 2016-10-18 17:37:44

Re: [Solved] Wrong permissions when creating files on a sshfs mount

#3 2016-10-18 18:51:57

Re: [Solved] Wrong permissions when creating files on a sshfs mount

#4 2016-10-20 18:20:53

Re: [Solved] Wrong permissions when creating files on a sshfs mount

Board footer