Umask configuration directive is used to set the
file permission bits on newly created files and directories. However, the way
Umask is to be used is not entirely straightforward.
Umask is used to set the value that
use when calling
works something like this:
mode - umask.
(Technically, the operation is
mode & ~umask). Thus, with
a mode of
0666, and a umask of
the permissions on the newly created file will be
A quick review of permission bits:
4 is read permission (r) 2 is write permission (w) 1 is execute permission (x)The first digit of a mode (
0750, for example) is used to specify some special bits (e.g. set-user-ID, set-group-ID, and the "sticky bit"). The second digit, the
7in this example, specifies the user owner permissions, and is a sum of the above permission bits:
7 = 4 + 2 + 1(e.g.
rwx). Group owner permissions are specified by the third bit,
5 = 4 + 1(e.g.
r-x). And finally, other or world permissions are specified using the last bit, which in the example is
0(no permissions, e.g.
---). The full represenation of a mode of
0750, as one would see it in a directory listing, would thus be:
proftpd daemon always starts with a base mode of
0666 when creating files. Note that
Umask can only
be used to "take away" permissions granted by the base
mode; it cannot be used to add permissions that are not there. This
means that files uploaded to a
proftpd server will never have the
execute permission enabled by default (the base mode is does not have
any execute bits enabled). This is a conscious security design decision. For
directories, the base mode is
0777. The umask used
for directories can be configured using the optional second parameter to the
Umask directive; if this second parameter is not used, the
umask used for created directories will default to the same
umask as used for files.
If it is necessary to make uploaded files executable, the
SITE CHMOD FTP command can be used:
SITE CHMOD mode fileUse of this command can be restricted using a "command" of
<Limit>section. For example, this section of a
<Limit SITE_CHMOD> AllowUser ftpadmin DenyAll </Limit>will deny everyone except user
ftpadminfrom being able to use the
SITE CHMODcommand to change the permissions on files via FTP. Note that this construction is recommended instead of using the deprecated (as of