Proper way to set the umask for SFTP transactions?

The general solution is to add the following line to /etc/ssh/sshd_config on Arch Linux:

Subsystem sftp internal-sftp -u 0002

However, the gotcha for me was that users of group "team" had a ForceCommand defined in that same config file. For these users, the ForceCommand was overriding the specification listed above.

The solution was to add the same "-u" flag on the ForceCommand

Match Group team
   ForceCommand internal-sftp -u 0002 

Then run:

systemctl restart sshd.service

It is important to note that using the sshfs mount option umask is not recommended. It did not produce the desired behavior for me.

References:

The umask option for sshfs goes down to the underlying fuse layer where it's handled wrongly. afaict the advice is to avoid it. – Ralph Rönnquist Jun 17 '16 at 7:56 Understanding sshfs and umask

• https://jeff.robbins.ws/articles/setting-the-umask-for-sftp-transactions
• https://unix.stackexchange.com/a/289278/15010

EDIT:

while this solution works on the command line and with some desktop apps (e.g., KDE's Kate text editor), it does not work correctly with many desktop applications (including KDE's Dolphin file manager, XSane, etc.). So this turned out not to be a good overall solution.

When sftp-server is used, the umask in /etc/profile isn't used. You can set the umask for all user sessions (including shell) with pam_umask module. Append to /etc/pam.d/system-login:

session    optional   pam_umask.so

And configure your umask value in /etc/login.defs.