Permission for .ssh folder in home/user/.ssh/

jasonwch · May 29, 2026, 1:05am

Just discovered the folder /home/username/.ssh permission set as 755, and the authorized_keys file inside set as 644

the file is:

from=“127.0.0.1”,command=“internal-sftp”,restrict ssh-rsa 

XXXXXXXXXXXXXXX

filemanager.ssh.key

Is this normal behavior? will it cause security concern?

sahsanu · May 29, 2026, 1:15am

I think this open PR managed that:

github.com/hestiacp/hestiacp

fix(filemanager): avoid blocked sudo chmod and grant .ssh traversal for hestiaweb (#5242)

main ← amongiardo:fix/filemanager-sftp-key-traversal

opened 10:48PM - 06 Mar 26 UTC

amongiardo

+9 -3

## Summary This PR fixes a File Manager SFTP failure that can surface as `U…nknown error` in the UI (`/fm/?r=/getdir` returning 500). ## Problem In File Manager config, when key is missing, it runs: - `sudo /usr/local/hestia/bin/v-add-user-sftp-key ...` - `sudo chmod o+x /home/<user>/.ssh` But default Hestia sudoers for `hestiaweb` allows only `/usr/local/hestia/bin/*`, so `sudo chmod ...` is denied (`command not allowed`), and SFTP login may fail. ## Changes 1. Removed blocked sudo call from: - `install/deb/filemanager/filegator/configuration.php` - removed `shell_exec("sudo chmod o+x ...")` 2. Moved traversal permission handling into Hestia script: - `bin/v-add-user-sftp-key` - after key creation/ownership: - use `setfacl -m u:hestiaweb:--x "$HOMEDIR/$user/.ssh"` when available - fallback to `chmod o+x "$HOMEDIR/$user/.ssh"` when ACL tool is unavailable ## Why this is safer - Keeps privilege changes inside Hestia-managed scripts (already allowed by sudoers). - Grants minimum traverse permission for `hestiaweb` to reach the FM key path. - Avoids runtime sudo failures from File Manager PHP code. ## Validation - Bash syntax check passed for `v-add-user-sftp-key`. - Runtime verification: SFTP login succeeds with FM key; directory listing works where it previously failed with 500.

jasonwch · May 29, 2026, 1:23am

is this a security bug about that file and folder permission

sahsanu · May 29, 2026, 1:25am

jasonwch · May 29, 2026, 1:36am

Thanks, I’ve changed these 2 files. So I need to manually set .ssh/ folder to 700, and authorized_keys file inside to 600?

sahsanu · May 29, 2026, 1:39am

Yes, those are the recommended permissions.