Hi Jakub, Sorry for the late reply. I was off from work for a few days. I’ve tried to add the noexec, nosuid and nodev mount options but it seems to have some difficulties to do so with kubernetes nfs-mount. I’ll keep trying to resolve it anyway. The patch you pasted is exactly the thing I wanna have. I think it’s super useful and I definitely vote yes for merging it to master. I was actually planning to create a patch myself if not seeing your reply. Is it possible to raise a concern about this patch in the developer group? Regarding the “a script that fixes file permissions upon upload”, this is also an interesting idea. But how do I add a hook that is listening to the upload events? Thanks & Best Regards House > On Dec 18, 2017, at 06:03, Jakub Jelen <jjelen@xxxxxxxxxx> wrote: > > On Thu, 2017-12-14 at 10:26 -0600, House Lee wrote: >> Hi, >> >> I understand that if I specify `ForceCommand internal-sftp -u >> <umask>`, the permission of any files uploaded via sftp will be >> calculated by `<original permission> & ~umask`. However, this can be >> bypassed by the `-P` option of `put` command. We are developing a >> shared hosting platform, therefore we definitely don’t want our users >> being able to upload any executable files. We can not disable the x >> permission by umask because directories need the x permission. >> >> Is there any possible way to accomplish this? or is it possible to >> add a `ForceFilePermission` and `ForceDirPermission` option in the >> sshd_config ? >> >> Thanks & Best Regards, >> House > > > Hello, > during last month, there were already two emails in this mailing list > discussing this issue: > > https://lists.mindrot.org/pipermail/openssh-unix-dev/2017- > November/036468.html > > The patch exists here since 2010 and it is currently used in > Fedora/RHEL to a great satisfaction, though it was never accepted by > upstream nor there was any official statement if they will eventually > accept this change or why not (and in which I would be greatly > interested). > > Best advise I have is to pull that patch from the linked thread above. > Or have some script that is fixing the files permissions upon upload. > > Regards, > Jakub > > -- > Jakub Jelen > Software Engineer > Security Technologies > Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev