openssh/openssh-6.6p1-sftp_force_permissions.patch

# additional option for sftp-server to force file mode for new files
# FATE#312774
# http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
# http://marc.info/?l=openssh-unix-dev&m=128896838930893

Index: b/sftp-server.8
===================================================================
--- a/sftp-server.8
+++ b/sftp-server.8
@@ -38,6 +38,7 @@
 .Op Fl P Ar blacklisted_requests
 .Op Fl p Ar whitelisted_requests
 .Op Fl u Ar umask
+.Op Fl m Ar force_file_permissions
 .Ek
 .Nm
 .Fl Q Ar protocol_feature
@@ -138,6 +139,10 @@ Sets an explicit
 .Xr umask 2
 to be applied to newly-created files and directories, instead of the
 user's default mask.
+.It Fl m Ar force_file_permissions
+Sets explicit file permissions to be applied to newly-created files instead
+of the default or client requested mode.  Numeric values include:
+777, 755, 750, 666, 644, 640, etc.  Option -u is ineffective if -m is set.
 .El
 .Pp
 On some systems,
Index: b/sftp-server.c
===================================================================
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -78,6 +78,10 @@ static int readonly;
 /* Requests that are allowed/denied */
 static char *request_whitelist, *request_blacklist;
 
+/* Force file permissions */
+int permforce = 0;
+long permforcemode;
+
 /* portable attributes, etc. */
 typedef struct Stat Stat;
 
@@ -692,6 +696,10 @@ process_open(u_int32_t id)
 	debug3("request %u: open flags %d", id, pflags);
 	flags = flags_from_portable(pflags);
 	mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
+	if (permforce == 1) {
+		mode = permforcemode;
+		(void)umask(0); /* so umask does not interfere */
+	}
 	logit("open \"%s\" flags %s mode 0%o",
 	    name, string_from_portable(pflags), mode);
 	if (readonly &&
@@ -1494,7 +1502,8 @@ sftp_server_usage(void)
 	fprintf(stderr,
 	    "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
 	    "[-l log_level]\n\t[-P blacklisted_requests] "
-	    "[-p whitelisted_requests] [-u umask]\n"
+	    "[-p whitelisted_requests] [-u umask]\n\t"
+	    "[-m force_file_permissions]\n",
 	    "       %s -Q protocol_feature\n",
 	    __progname, __progname);
 	exit(1);
@@ -1519,7 +1528,7 @@ sftp_server_main(int argc, char **argv,
 	pw = pwcopy(user_pw);
 
 	while (!skipargs && (ch = getopt(argc, argv,
-	    "d:f:l:P:p:Q:u:cehR")) != -1) {
+	    "d:f:l:P:p:Q:u:m:cehR")) != -1) {
 		switch (ch) {
 		case 'Q':
 			if (strcasecmp(optarg, "requests") != 0) {
@@ -1579,6 +1588,13 @@ sftp_server_main(int argc, char **argv,
 				fatal("Invalid umask \"%s\"", optarg);
 			(void)umask((mode_t)mask);
 			break;
+        case 'm':
+            permforce = 1;
+            permforcemode = strtol(optarg, &cp, 8);
+            if (permforcemode < 0 || permforcemode > 0777 || *cp != '\0' ||
+                cp == optarg || (permforcemode == 0 && errno != 0))
+                fatal("Invalid umask \"%s\"", optarg);
+            break;
 		case 'h':
 		default:
 			sftp_server_usage();