OpenSSH and SFTP - Authority Considerations with the Integrated File System (IFS)

Resolving The Problem

The authority defined on a newly created file in the Integrated File System (IFS), which was created using SFTP (OpenSSH), does not conform to the traditional authority settings in the IFS. The rule of thumb for file creation and authority in the IFS is that the newly created file will propagate the parent directory's owner authority as well as the *PUBLIC authority; however, how the authority is assigned to the new objects is dependent on what command/procedure was used to create the new object in the IFS. See Rochester Support Center knowledgebase document New, Integrated File System Authority Considerations: for further information on this topic.

When a user has transferred a file into the IFS using SFTP, the file will be created as it existed on the source machine. For example, a file named DATAFILE is created on another system (can be i5/OS or some other platform). That file has a file owner and a public authority which the public authority is set to exclude or none. The file is transferred to the System i using SFTP, and is created in a directory called NEWDATA. The NEWDATA directory has *PUBLIC set to *RWX with all authority granted. When DATAFILE is created, the *PUBLIC authority is set to *EXCLUDE instead of the parent directory's authority of *RWX.

The new file will have the following authorities assigned to them:

Public Data authorities will be copied from the source system and assigned to the file
Object Authorities will be inherited from the parent directory and assigned to the file

The i5/OS OpenSSH behavior of inheriting the file permission bits from the permission bits of the file on the source machine is no different than the behavior of OpenSSH on any other platform .

To circumvent this and have the authority changed to the parent directory's authority structure, the use of CHGAUT can be used. Alternatively, the use of CHMOD (Change file modes) within a QP2TERM session can be used. This is working as designed.


Note 1 : Refer to document number N1020029 OpenSSH version 5.8p1 changes the default unmask of the Secure Shell Daemon (SSHD) for additional information.