Friday, May 27, 2016

linux - Force SFTP/SCP to copy files with a remote directory's permission



I am having a problem with SFTP and SCP where files that are copied are not inheriting the permissions of the remote parent directory. I have seen similar questions on serverfault where the umask of the SFTP/SCP session is modified, however, that does not necessarily solve my issue, as some directories will need to have different permissions than others. Thus, I do not to have a default umask set.



Thus, I want to force the copied file to have the permissions that are set by the parent directory on the remote system. Basically, I want SCP/SFTP to work the same way that cp works without the -p option. Currently SFTP/SCP is mimicking cp -p behavior.




Here is what I want to have happen:



1.) User wants to copy file foo.txt with permissions:




-rw-------. 1 user user        0 Feb 29 09:08 foo.txt


2.) User uses SCP to copy foo.txt to the server under directory /bar. /bar has permissions (setgid is set):





drwxrws---+  3 root usergroup  4096 Feb 28 12:19 bar


3.) /bar has the following facl's set:




user::rwx
group::rwx
group:usergroup:rwx

default:user::rwx
default:group::rwx
default:group:usergroup:rw-


4.) foo.txt should have the following permissions (and facl):



-rw-rw----+ 1 user usergroup     0 Feb 29 09:33 foo.txt
user::rw-
group::rwx     #effective: rw-

group:usergroup:rw-


5.) Instead, foo.txt has permissions:



-rw-------+ 1 user usergroup     0 Feb 29 09:36 foo.txt
user::rw-
group::rwx          #effective:---
group:usergroup:rw-     #effective:---



Is there an easy way to get the file obtain expected permissions above?



Also, do my facl's make sense, or are they redundant?



EDIT: Fixed post to display properly. (Serverfault's code and numbering doesn't work too well. I needed to wrap things in pre tags.)


Answer



From the man page: "When scp copies files, the destination files are created with certain file attributes. By default, the file permissions adhere to a umask on the destination host, and the
modification and last access times will be the time of the copy. Alternatively, you can tell scp to duplicate the permissions and timestamps of the original files. The -p option accomplishes this."




For example:



sftp user@server:backup <<< $'put -rp mysoftware/mysqldump'


Based on the info above I am not sure what you want is possible without using a cronjob to set permissions. The umask option only applies to files being created. Setgid only applies to the group. I am sure you can write a job that sets the permissions recursively but that is all I can think of that would result in what you described unless I misunderstood the question.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...