How to set umask for apache?

[msteiner]

Hi,

I tried to give the www user a login shell (sh) and set in .profile

umask 002

When I do [cmd=]sudo su - www[/cmd] I have the correct umask.

$ sudo su - www
$ umask
0002

But when I start the webserver it does not affect it.

I set

umask 002

in /usr/local/etc/rc.d/apache but I normally avoid to modify such files, because they could be modified/kicked due to a portupdate.

Any ideas?

BTW: my problem is, I have inside my /home some webroots, and when Apache creates files (php, joomla) the files are in the group www (which I'm in of course) but in 644 so I can't modify/delete them without sudo or root permissions.

 

[anomie]

I tried to give the www user a login shell (sh) and set in .profile

umask 002

When I do [cmd=]sudo su - www[/cmd] I have the correct umask.

$ sudo su - www
$ umask
0002

But when I start the webserver it does not affect it.

That's because you're not executing a login shell for that user.

I set

umask 002

in /usr/local/etc/rc.d/apache but I normally avoid to modify such files, because they could be modified/kicked due to a portupdate.

Setting umask in the rc.d script should work. (Have you tried it?) I agree that a later port update could overwrite it, though. You might consider keeping the current production version under rcs(1) or some such, and testing for changes following updates.

BTW: my problem is, I have inside my /home some webroots, and when Apache creates files (php, joomla) the files are in the group www (which I'm in of course) but in 644 so I can't modify/delete them without sudo or root permissions.

I'm curious to explore this point more. Under what circumstances are you trying to modify/delete www-created files?

 

[msteiner]

That's because you're not executing a login shell for that user.

Hm, I set /bin/sh instead of /usr/bin/nologin and set the home directory to /home/www/, think this should be enough for a login shell?!

Setting umask in the rc.d script should work. (Have you tried it?) I agree that a later port update could overwrite it, though. You might consider keeping the current production version under rcs(1) or some such, and testing for changes following updates.

Yes, this works like a charm, files and directories are now created read/writeable for the group www.

I'm curious to explore this point more. Under what circumstances are you trying to modify/delete www-created files?

My problem is that the webserver runs as user www, and I have inside my home directory some webhostings ~www/joomla for a joomla test environment. I work as my user (m.steiner) there, and when I install stuff with joomla internal functions the webserver uploads the files/creates files and directories. So the webserver creates files which I don't own and so I don't have the permissions to modify/delete them (I have to chown them with root and I try to avoid root usage).

 

[msteiner]

~www/joomla

I mean ~/www/joomla!

 

[anomie]

Hm, I set /bin/sh instead of /usr/bin/nologin and set the home directory to /home/www/, think this should be enough for a login shell?!

Yes, but your rc.d script is launching httpd, not a Bourne shell. Why should it read ~/.profile, then?

Yes, this works like a charm, files and directories are now created read/writeable for the group www.

...

My problem is that the webserver runs as user www, and I have inside my home directory some webhostings ~www/joomla for a joomla test environment. I work as my user (m.steiner) there, and when I install stuff with joomla internal functions the webserver uploads the files/creates files and directories. So the webserver creates files which I don't own and so I don't have the permissions to modify/delete them (I have to chown them with root and I try to avoid root usage).

I had a similar issue with a customer a few months back. My (arguably horrible) fix was to have a cronjob fix up ownership and permissions at regular intervals for a targeted set of directories.

That or the rc.d script change are the most "elegant" suggestions I know of at this time.

 

[DutchDaemon]

@msteiner, read the PM I sent you.

 

[msteiner]

I found an interesting file/and the solution:

/usr/local/sbin/envvars

this file builds the environment for apachectl, it evaluates each file which matches *.env and is located in:

/usr/local/etc/apache22/envvars.d/

This will do it:

# echo 'umask 2' > /usr/local/etc/apache22/envvars.d/umask.env
# /usr/local/etc/rc.d/apache22 restart

 

[quintessence]

Hello,

msteiner, the intelligent solution is to set "root" (directory root of your web server) with chmod 775 and owner your_user:www, without changing any group, any rc.d starup script, adding shells to www user or etc.

drwxrwxr-x   2 bobi  www            512 May 26 14:42 upload

#ls -l upload
total 8
-rw-r--r--  1 bobi  www   294 May 26 14:33 index.html
-rw-r--r--  1 bobi  www  1202 May 26 14:38 upload.php

Here is my test directory for uploading in which I uploaded via web some png file.

-rw-r--r--  1 www   www  9317 May 26 14:47 11.png
-rw-r--r--  1 bobi  www   294 May 26 14:33 index.html
-rw-r--r--  1 bobi  www  1202 May 26 14:38 upload.php

Now I'll delete the uploaded file with my user:

$ id
uid=1001(bobi) gid=1001 groups=1001
$ rm 11.png
override rw-r--r--  www/www for 11.png? y
$ ls -l
total 8
-rw-r--r--  1 bobi  www   294 May 26 14:33 index.html
-rw-r--r--  1 bobi  www  1202 May 26 14:38 upload.php

 

[msteiner]

Try to create a directory in php and create a file in this directory, the user has no permission to modify the file. (I guess) because the directory is created with 0755 and the files in it with 0644 so you are in the group www but you don't have permissions to modify files inside the directory.

You can delete a file, which you don't own, if you have the permission to modify the directory where the file is located in. I think this is because you modify the directory (remove a entry from the file list)

[mirko@server ~]$ mkdir a
[mirko@server ~]$ ls -la a
total 29
drwxr-xr-x   2 mirko  mirko    2 May 28 00:11 .
drwxr-xr-x  68 mirko  mirko  220 May 28 00:11 ..
[mirko@server ~]$ sudo touch a/b
[mirko@server ~]$ ls -l a/b
-rw-r--r--  1 root  mirko  0 May 28 00:11 a/b
[mirko@server ~]$ rm a/b 
override rw-r--r--  root/mirko for a/b? y

I set the setgid bit on directorys $ find . -type d -exec chmod 2775 {}\;, so when I create a file in the directory it gets owned by the group www, due to the umask 2 for the webserver and my user the files could be modified for both, the user and the webserver.