Request addition of Fedora / Redhat "sftp-force-permissions" patch
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
portable OpenSSH |
Unknown
|
Unknown
|
|||
openssh (Debian) |
Confirmed
|
Unknown
|
|||
openssh (Ubuntu) |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
Fedora / Redhat ships openssh with a patch which adds "-m force permission" flag to sftp-server.
This is quite a common feature request / support request on the various stackexchange sites - https:/
You will see that someone has answered "add -m" there which is indeed the simplest answer by a distance but unfortunately it's a non standard patch:
https:/
This I think should supersede #563216 because they have been shipping this in production presumably since at least 2015 (I see it in fedora 22 branch), so it is a known stable patch compared to the one suggested there.
Changed in openssh (Debian): | |
status: | Unknown → Confirmed |
Hi Mark and thanks for this bug report. I can see how the flag introduced by the "sftp-force- permissions" patch could come handy, however I doubt we are going to include in the Ubuntu package unless there's a compelling reason for doing so. And if such a compelling reason did exist, then I think it should be brought to the attention of the upstream openssh developers, without delivering the functionality with a distribution specific patch.
My suggestion here is to:
- Poke upstream about this. Note that they may have a good rationale for *not* including the patch, given that it's small and they didn't already do so.
- File a bug in Debian. The Ubuntu openssh package is almost a sync from Debian, which is another good reason to avoid including an additional delta to it, with all its long-term implications (old memories here: [1]). If Debian includes the patch then Ubuntu will pick it up with the following package syncs or merges.
I'm going to triage this as a Wishlist bug for now. This is not a final word, but I doubt the importance of this bug is likely to be bumped without a compelling use case that would be enabled by adding the patch.
[1] https:/ /www.debian. org/security/ 2008/dsa- 1571