Set SSH/FTP home directory permissions

You can specify home directory permissions for a home directory that is accessed through SSH or FTP by setting a umask value.

Before you begin

To perform most configuration tasks, you must log on as a member of the SecurityAdmin role.

About this task

When a user's home directory is created at login through SSH or FTP, it is created using POSIX mode bits. The permissions setting on a user's home directory is set to 0755, then masked according to the umask setting of the user's access zone to further limit permissions. You can modify the umask setting for a zone with the --home-directory-umask option, specifying an octal number as the umask value.

Procedure

  1. Run the following command to view umask setting:
    isi zone zones view System
    The system displays output similar to the following example:
                            Name: System                       
                            Path: /ifs                   
                        Groupnet: groupnet0              
                   Map Untrusted: -             
                  Auth Providers: lsa-local-provider:System, lsa-file-provider:System               
                    NetBIOS Name: -         
              User Mapping Rules: -       
            Home Directory Umask: 0077         
              Skeleton Directory: /usr/share/skel         
              Cache Entry Expiry: 4H
     Negative Cache Entry Expiry: 1m                    
                         Zone ID: 1
    

    In the command result, you can see the default setting for Home Directory Umask for the created home directory is 0700, which is equivalent to ( 0755 & ~( 077)). You can modify the Home Directory Umask setting for a zone with the --home-directory-umask option, specifying an octal number as the umask value. This value indicates the permissions that are to be disabled, so larger mask values indicate fewer permissions. For example, a umask value of 000 or 022 yields created home directory permissions of 0755, whereas a umask value of 077 yields created home directory permissions of 0700.

  2. Run a command similar to the following example to allow a group/others write/execute permission in a home directory:
    isi zone zones modify System --home-directory-umask=022	
    In this example, user home directories will be created with mode bits 0755 masked by the umask field, set to the value of 022. Therefore, user home directories will be created with mode bits 0755, which is equivalent to ( 0755 & ~( 022)).