Setting umask for sshfs mount

Question

If I mount the sshfs server with no umask, i get -rw-rw-r-- on new created files. If I try and open a php file on the server on my browser, i get this error:

Incorrect file/directory permissions: Above 755.
In order files to be processed by the webserver, their permissions have to be equal or below 755. 

So I tried with umask=0022: the new created files have -rwxr-xr-x. These permissions are fine, as the error above does not appear anymore. However, I can't understand why the new files are set as executables...

Could you please explain? Many thanks...

Answer 1

In fuse drivers the umask option does not work intuitively.

• It doesn't mask existing permissions. Instead it sets the permissions to its inverse.
• It only applies when reading. For sshfs new files and folders have their permissions set according to the sshd config on the remote host.

And the combination of the two means there's no way to see what the remote permissions actually are if umask is set.

Some drivers offer separate fmask/dmask options to avoid making everything executable, but sshfs is not one of them. If you want no files to be executable then the noexec will work (but not be reflected in the permissions). If some files should be executable and others not, then it's not possible.

Answer 2

The umask sshfs option only deals with how the remote files appear to you on your local system, this shed some light on the issue for me: serverfault.com/q/228396, a desired umask of 0002 for remotely created files and folders was achieved with:

Lines appended to /etc/pam.d/sshd on the remote system:

# Setting UMASK for all ssh based connections (ssh, sftp, scp)
session    optional     pam_umask.so umask=0002

This one has been a long-running issue for me, cheers.

Answer 3

Some filesystems allows to set masks separately for directories and files with dmask and umask, which would allow you to disable executable bit for files. I'm not sure if sshfs offers it, others have asked for it -> https://superuser.com/questions/1020582/fuse-file-system-fmask-and-dmask.

You can set noexec option for whole filesystem if you don't want any user to execute any files.

Answer 4

From sshfs manual:

   -o umask=M
          set file permissions (octal)

Note the manual mentions the option name is umask. So it is not the same values you would use in chmod, where 7 means rwx (binary 111). Instead, umask is a mask, as the name says.

For fuse, this mask is used as an inversion of the desired permission.

Then, from http://wiki.gilug.org/index.php/How_to_mount_SFTP_accesses#General_working_of_umask, we get the following:

[umask i]s a template-mask. Is as a chmod inverse, because is used for shading the permissions to be set when creating files and directories. As higher is the octal value, more restrictive (at binary level a bit 1 shades an attribute and a bit 0 allows it).

0 allows rwX
1 allows rw-
2 allows r-X
3 allows r--
4 allows -wX
5 allows -w-
6 allows --X
7 allows ---

So, if you supply 0022, the permission will go as follows:

1. AND with 0777 (see umask man page) to consider only "user", "group" and "others" permissions (i.e. discard first part of the mask).

000 000 010 010 -> 0022

AND

000 111 111 111 -> 0777

=

000 000 010 010 -> 0022

2. Invert the three permissions.

000 010 010 -> 022

becomes

111 101 101 -> 755

If you don't want the files to be executable, but want them to be readable and writable (chmod 666), you should set umask to:

110 110 110 = 666 <- chmod value
001 001 001 = 111 <- umask value