ProFTPD mini-HOWTO

Umask

ProFTPD's Umask configuration directive is used to set the file permission bits on newly created files and directories. However, the way in which Umask is to be used is not entirely straightforward.

Umask is used to set the value that proftpd will use when calling umask(2). The umask(2) function works something like this: mode - umask. (Technically, the operation is mode & ~umask). Thus, with a mode of 0666, and a umask of 0022, the permissions on the newly created file will be 0644 (e.g. rw-r--r--).

A quick review of permission bits:

  4 is read permission (r)
  2 is write permission (w)
  1 is execute permission (x)

The first digit of a mode (0750, for example) is used to specify some special bits (e.g. set-user-ID, set-group-ID, and the "sticky bit"). The second digit, the 7 in this example, specifies the user owner permissions, and is a sum of the above permission bits: 7 = 4 + 2 + 1 (e.g. rwx). Group owner permissions are specified by the third bit, 5: 5 = 4 + 1 (e.g. r-x). And finally, other or world permissions are specified using the last bit, which in the example is 0 (no permissions, e.g. ---). The full represenation of a mode of 0750, as one would see it in a directory listing, would thus be: rwxr-x---.

The proftpd daemon always starts with a base mode of 0666 when creating files. Note that Umask can only be used to "take away" permissions granted by the base mode; it cannot be used to add permissions that are not there. This means that files uploaded to a proftpd server will never have the execute permission enabled by default (the base mode is does not have any execute bits enabled). This is a conscious security design decision. For directories, the base mode is 0777. The umask used for directories can be configured using the optional second parameter to the Umask directive; if this second parameter is not used, the umask used for created directories will default to the same umask as used for files.

If it is necessary to make uploaded files executable, the SITE CHMOD FTP command can be used:

  SITE CHMOD mode file

Use of this command can be restricted using a "command" of SITE_CHMOD in a <Limit> section. For example, this section of a proftpd.conf file:

  <Limit SITE_CHMOD>
    AllowUser ftpadmin
    DenyAll
  </Limit>

will deny everyone except user ftpadmin from being able to use the SITE CHMOD command to change the permissions on files via FTP. Note that this construction is recommended instead of using the deprecated (as of proftpd-1.2.2rc2) AllowChmod configuration directive.

Last Updated: $Date: 2004/04/10 18:01:18 $