Setting umask on daemon

[zipitup]

I have syncthing installed. But I guess this question can be posed to any daemon running on FreeBSD.

How do we properly set umask for services run on FreeBSD?

I have tried setting on /etc/login.conf but that only applies to executed shell (by a user).

A service does not look at login.conf so I have modified /etc/local/etc/rc.d/syncthing file to call "umask 022" at precmd.

Code:

#!/bin/sh

# $FreeBSD: head/net/syncthing/files/syncthing.in 470134 2018-05-16 17:26:15Z swills $
#
# PROVIDE: syncthing
# REQUIRE: DAEMON
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
# to enable this service:
#
# syncthing_enable (bool):      Set to NO by default.
#                               Set it to YES to enable syncthing.
# syncthing_home (path):        Directory where syncthing configuration
#                               data is stored.
#                               Default: /usr/local/etc/syncthing
# syncthing_log_file (path):    Syncthing log file
#                               Default: /var/log/syncthing.log
# syncthing_user (user):        Set user to run syncthing.
#                               Default is "syncthing".
# syncthing_group (group):      Set group to run syncthing.
#                               Default is "syncthing".

. /etc/rc.subr

name=syncthing
rcvar=syncthing_enable

load_rc_config $name

: ${syncthing_enable:="NO"}
: ${syncthing_home=/usr/local/etc/syncthing}
: ${syncthing_log_file=/var/log/syncthing.log}
: ${syncthing_user:="syncthing"}
: ${syncthing_group=${syncthing_group:-$syncthing_user}}

pidfile=/var/run/syncthing.pid
procname="/usr/local/bin/syncthing"
command="/usr/sbin/daemon"
command_args="-cf -p ${pidfile} ${procname} ${syncthing_home:+-home=${syncthing_home}} ${syncthing_log_file:+-logfile=${syncthing_log_file}} -no-browser ${syncthing_args}"

start_precmd=syncthing_startprecmd

syncthing_startprecmd()
{
        umask 002
        echo "umask sorted"

        if [ ! -e ${pidfile} ]; then
                install -o ${syncthing_user} -g ${syncthing_group} /dev/null ${pidfile};
        fi

        if [ ! -d ${syncthing_home} ]; then
                install -d -o ${syncthing_user} -g ${syncthing_group} ${syncthing_home}
        fi

        if [ ! -e ${syncthing_log_file} ]; then
                install -o ${syncthing_user} -g ${syncthing_group} /dev/null ${syncthing_log_file};
        fi

}

run_rc_command "$1"

But unfortunately, files are still being written as 644's by the user "syncthing".

Is there anyway we can force a umask on a service daemon?

Thank you.

 

[SirDice]

files are still being written as 644's by the user "syncthing".

That would actually be correct with a 022 umask. What permissions where you expecting to see?

Code:

root@molly:/tmp/test # ls -al
total 1
drwxr-xr-x  2 root  wheel    0 Apr 22 13:54 .
drwxrwxrwt  9 root  wheel  512 Apr 22 13:52 ..
root@molly:/tmp/test # umask
22
root@molly:/tmp/test # touch test1
root@molly:/tmp/test # ls -al
total 1
drwxr-xr-x  2 root  wheel   64 Apr 22 13:54 .
drwxrwxrwt  9 root  wheel  512 Apr 22 13:52 ..
-rw-r--r--  1 root  wheel    0 Apr 22 13:54 test1
root@molly:/tmp/test #
root@molly:/tmp/test # umask 077
root@molly:/tmp/test # touch  test2
root@molly:/tmp/test # ls -al
total 1
drwxr-xr-x  2 root  wheel  128 Apr 22 13:54 .
drwxrwxrwt  9 root  wheel  512 Apr 22 13:52 ..
-rw-r--r--  1 root  wheel    0 Apr 22 13:54 test1
-rw-------  1 root  wheel    0 Apr 22 13:54 test2

 

[zipitup]

That would actually be correct with a 022 umask. What permissions where you expecting to see?

Code:

root@molly:/tmp/test # ls -al
total 1
drwxr-xr-x  2 root  wheel    0 Apr 22 13:54 .
drwxrwxrwt  9 root  wheel  512 Apr 22 13:52 ..
root@molly:/tmp/test # umask
22
root@molly:/tmp/test # touch test1
root@molly:/tmp/test # ls -al
total 1
drwxr-xr-x  2 root  wheel   64 Apr 22 13:54 .
drwxrwxrwt  9 root  wheel  512 Apr 22 13:52 ..
-rw-r--r--  1 root  wheel    0 Apr 22 13:54 test1
root@molly:/tmp/test #
root@molly:/tmp/test # umask 077
root@molly:/tmp/test # touch  test2
root@molly:/tmp/test # ls -al
total 1
drwxr-xr-x  2 root  wheel  128 Apr 22 13:54 .
drwxrwxrwt  9 root  wheel  512 Apr 22 13:52 ..
-rw-r--r--  1 root  wheel    0 Apr 22 13:54 test1
-rw-------  1 root  wheel    0 Apr 22 13:54 test2

Oops, sorry. My bad. I meant to say umask 002 (which was configured correctly as so in the rc.d config file).

 

[np1]

I have this same issue. Have you found any solution?
Thanks

 

[mickey]

How do we properly set umask for services run on FreeBSD?

Unfortunately as of now there is no support for a <name>_umask variable in rc.conf(5), which would probably be the right way to do it. There is however a mechanism that lets you override things in a specific rc script without changing the script itself.

From rc.subr(8):

Code:

     load_rc_config name
           Source in the configuration files for name.  First, /etc/rc.conf is
           sourced if it has not yet been read in.  Then, /etc/rc.conf.d/name
           is sourced if it is an existing file.  The latter may also contain
           other variable assignments to override run_rc_command arguments
           defined by the calling script, to provide an easy mechanism for an
           administrator to override the behaviour of a given rc.d(8) script
           without requiring the editing of that script.

Beware that for this to work as intended, the rc script needs to call load_rc_config at the end, after any variable assignments/function definitions. I have seen some rc scripts that incorrectly call load_rc_config at the beginning, thereby preventing any overrides from working.