emberstack · scottfridwin · Oct 15, 2025
diff --git a/README.md b/README.md
@@ -140,6 +140,7 @@ You can customize the values of the helm deployment by using the following Value
 | `configuration.Users[].GID`                                 | Sets the user's GID. A group is created for this value and the user is included  | `null`                                                  |
 | `configuration.Users[].Chroot`                              | If set, will override global `Chroot` settings for this user.                    | `null`                                                  |
 | `configuration.Users[].Directories`                         | Array of additional directories created for this user                            | `null`                                                  |
+| `configuration.Users[].Umask`                               | If set, will set a user-specific `umask` value for this user.                    | `null`                                                  |
 | `initContainers`                                            | Additional initContainers for the pod                                            | `{}`                                                    |
 | `resources`                                                 | Resource limits                                                                  | `{}`                                                    |
 | `nodeSelector`                                              | Node labels for pod assignment                                                   | `{}`                                                    |

diff --git a/src/ES.SFTP/Configuration/Elements/UserDefinition.cs b/src/ES.SFTP/Configuration/Elements/UserDefinition.cs
@@ -15,4 +15,7 @@ public class UserDefinition
     public ChrootDefinition Chroot { get; set; } = new();
     public List<string> Directories { get; set; } = new();
     public List<string> PublicKeys { get; set; } = new();
+
+    // Umask property for user-specific file permissions
+    public string Umask { get; set; }
 }
diff --git a/src/ES.SFTP/SSH/SSHService.cs b/src/ES.SFTP/SSH/SSHService.cs
@@ -68,7 +68,8 @@ private async Task UpdateConfiguration()
             PKIandPassword = sftpConfig.Global.PKIandPassword
         };
 
-        var exceptionalUsers = sftpConfig.Users.Where(s => s.Chroot != null).ToList();
+        var exceptionalChrootUsers = sftpConfig.Users.Where(s => s.Chroot != null).ToList();
+        var exceptionalUmaskUsers = sftpConfig.Users.Where(s => !string.IsNullOrWhiteSpace(s.Umask)).ToList();
 
         var standardDeclarations = new[]
         {
@@ -82,7 +83,17 @@ private async Task UpdateConfiguration()
                 : s.Username)
         );
 
-        sshdConfig.MatchBlocks.AddRange(exceptionalUsers.Select(s => new MatchBlock
+        sshdConfig.MatchBlocks.AddRange(exceptionalUmaskUsers.Select(s => new MatchBlock
+        {
+            Criteria = MatchBlock.MatchCriteria.User,
+            Match = {s.Username},
+            Declarations = new List<string>(standardDeclarations)
+            {
+                $"ForceCommand internal-sftp -u {s.Umask}"
+            }
+        }));
+
+        sshdConfig.MatchBlocks.AddRange(exceptionalChrootUsers.Select(s => new MatchBlock
         {
             Criteria = MatchBlock.MatchCriteria.User,
             Match = {s.Username},
@@ -99,7 +110,7 @@ private async Task UpdateConfiguration()
         {
             Criteria = MatchBlock.MatchCriteria.User,
             Match = {"*"},
-            //Except = exceptionalUsers.Select(s => s.Username).ToList(),
+            //Except = exceptionalChrootUsers.Select(s => s.Username).ToList(),
             Declarations = new List<string>(standardDeclarations)
             {
                 $"ChrootDirectory {sftpConfig.Global.Chroot.Directory}",