see also: acl
Subsystem sftp /usr/lib/openssh/sftp-server -u 666
man sftp-server
says:
-u umask Sets an explicit umask(2) to be applied to newly-created files and directories, instead of the user's default mask.
Then you do setfacl -m d:u:adminuser:rwX /path/to/folder
where adminuser
is the user which should be able to read and write to the files. Similarly it works with setfacl -m d:g:admingroup:rwX /path/to/folder
for a group.
If you allow regular SSH it's also possible to setfacl -m u::rwX
as the user which created the files (=owner) and do what you like with them afterwards. Make sure that you only allow SFTP.
You can also use ACLs to set the default permissions: setfacl -m u::-,g::-
makes it so the user creating the file doesn't have any permissions. It's always possible to change permissions as the owner (see first EDIT). The solution for this would be setting the setuid/setgid bits for the directory, but Linux doesn't allow setuid on directories (except if you use the GFS2 file system on Linux, or any FS on FreeBSD with the suiddir mount option).
You can also watch the folder for changes and chown the newly created files with this little script:
#!/bin/sh # Usage: # inotify-chown <user>:<group> <dir> inotifywait -mrq -e create -e modify --format %w%f "$2" | while read FILE do chown -c $1 "$FILE" done