Linux permissions

see also: acl

write only "drop" folders

Subsystem sftp /usr/lib/openssh/sftp-server -u 666

man sftp-server says:

-u umask
     Sets an explicit umask(2) to be applied to newly-created files
     and directories, instead of the user's default mask.

Then you do setfacl -m d:u:adminuser:rwX /path/to/folder where adminuser is the user which should be able to read and write to the files. Similarly it works with setfacl -m d:g:admingroup:rwX /path/to/folder for a group.

If you allow regular SSH it's also possible to setfacl -m u::rwX as the user which created the files (=owner) and do what you like with them afterwards. Make sure that you only allow SFTP.

You can also use ACLs to set the default permissions: setfacl -m u::-,g::- makes it so the user creating the file doesn't have any permissions. It's always possible to change permissions as the owner (see first EDIT). The solution for this would be setting the setuid/setgid bits for the directory, but Linux doesn't allow setuid on directories (except if you use the GFS2 file system on Linux, or any FS on FreeBSD with the suiddir mount option).

You can also watch the folder for changes and chown the newly created files with this little script:

inotify-chown
#!/bin/sh
# Usage:
# inotify-chown <user>:<group> <dir>
 
inotifywait -mrq -e create -e modify --format %w%f "$2" | while read FILE
do
  chown -c $1 "$FILE"
done