Setting umask on daemon

I have syncthing installed. But I guess this question can be posed to any daemon running on FreeBSD.

How do we properly set umask for services run on FreeBSD?

I have tried setting on /etc/login.conf but that only applies to executed shell (by a user).

A service does not look at login.conf so I have modified /etc/local/etc/rc.d/syncthing file to call "umask 022" at precmd.

Code:
#!/bin/sh

# $FreeBSD: head/net/syncthing/files/syncthing.in 470134 2018-05-16 17:26:15Z swills $
#
# PROVIDE: syncthing
# REQUIRE: DAEMON
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
# to enable this service:
#
# syncthing_enable (bool):      Set to NO by default.
#                               Set it to YES to enable syncthing.
# syncthing_home (path):        Directory where syncthing configuration
#                               data is stored.
#                               Default: /usr/local/etc/syncthing
# syncthing_log_file (path):    Syncthing log file
#                               Default: /var/log/syncthing.log
# syncthing_user (user):        Set user to run syncthing.
#                               Default is "syncthing".
# syncthing_group (group):      Set group to run syncthing.
#                               Default is "syncthing".

. /etc/rc.subr

name=syncthing
rcvar=syncthing_enable

load_rc_config $name

: ${syncthing_enable:="NO"}
: ${syncthing_home=/usr/local/etc/syncthing}
: ${syncthing_log_file=/var/log/syncthing.log}
: ${syncthing_user:="syncthing"}
: ${syncthing_group=${syncthing_group:-$syncthing_user}}

pidfile=/var/run/syncthing.pid
procname="/usr/local/bin/syncthing"
command="/usr/sbin/daemon"
command_args="-cf -p ${pidfile} ${procname} ${syncthing_home:+-home=${syncthing_home}} ${syncthing_log_file:+-logfile=${syncthing_log_file}} -no-browser ${syncthing_args}"

start_precmd=syncthing_startprecmd

syncthing_startprecmd()
{
        umask 002
        echo "umask sorted"

        if [ ! -e ${pidfile} ]; then
                install -o ${syncthing_user} -g ${syncthing_group} /dev/null ${pidfile};
        fi

        if [ ! -d ${syncthing_home} ]; then
                install -d -o ${syncthing_user} -g ${syncthing_group} ${syncthing_home}
        fi

        if [ ! -e ${syncthing_log_file} ]; then
                install -o ${syncthing_user} -g ${syncthing_group} /dev/null ${syncthing_log_file};
        fi

}

run_rc_command "$1"


But unfortunately, files are still being written as 644's by the user "syncthing".

Is there anyway we can force a umask on a service daemon?

Thank you.
 
files are still being written as 644's by the user "syncthing".
That would actually be correct with a 022 umask. What permissions where you expecting to see?

Code:
root@molly:/tmp/test # ls -al
total 1
drwxr-xr-x  2 root  wheel    0 Apr 22 13:54 .
drwxrwxrwt  9 root  wheel  512 Apr 22 13:52 ..
root@molly:/tmp/test # umask
22
root@molly:/tmp/test # touch test1
root@molly:/tmp/test # ls -al
total 1
drwxr-xr-x  2 root  wheel   64 Apr 22 13:54 .
drwxrwxrwt  9 root  wheel  512 Apr 22 13:52 ..
-rw-r--r--  1 root  wheel    0 Apr 22 13:54 test1
root@molly:/tmp/test #
root@molly:/tmp/test # umask 077
root@molly:/tmp/test # touch  test2
root@molly:/tmp/test # ls -al
total 1
drwxr-xr-x  2 root  wheel  128 Apr 22 13:54 .
drwxrwxrwt  9 root  wheel  512 Apr 22 13:52 ..
-rw-r--r--  1 root  wheel    0 Apr 22 13:54 test1
-rw-------  1 root  wheel    0 Apr 22 13:54 test2
 
That would actually be correct with a 022 umask. What permissions where you expecting to see?

Code:
root@molly:/tmp/test # ls -al
total 1
drwxr-xr-x  2 root  wheel    0 Apr 22 13:54 .
drwxrwxrwt  9 root  wheel  512 Apr 22 13:52 ..
root@molly:/tmp/test # umask
22
root@molly:/tmp/test # touch test1
root@molly:/tmp/test # ls -al
total 1
drwxr-xr-x  2 root  wheel   64 Apr 22 13:54 .
drwxrwxrwt  9 root  wheel  512 Apr 22 13:52 ..
-rw-r--r--  1 root  wheel    0 Apr 22 13:54 test1
root@molly:/tmp/test #
root@molly:/tmp/test # umask 077
root@molly:/tmp/test # touch  test2
root@molly:/tmp/test # ls -al
total 1
drwxr-xr-x  2 root  wheel  128 Apr 22 13:54 .
drwxrwxrwt  9 root  wheel  512 Apr 22 13:52 ..
-rw-r--r--  1 root  wheel    0 Apr 22 13:54 test1
-rw-------  1 root  wheel    0 Apr 22 13:54 test2


Oops, sorry. My bad. I meant to say umask 002 (which was configured correctly as so in the rc.d config file).
 
How do we properly set umask for services run on FreeBSD?
Unfortunately as of now there is no support for a <name>_umask variable in rc.conf(5), which would probably be the right way to do it. There is however a mechanism that lets you override things in a specific rc script without changing the script itself.

From rc.subr(8):
Code:
     load_rc_config name
           Source in the configuration files for name.  First, /etc/rc.conf is
           sourced if it has not yet been read in.  Then, /etc/rc.conf.d/name
           is sourced if it is an existing file.  The latter may also contain
           other variable assignments to override run_rc_command arguments
           defined by the calling script, to provide an easy mechanism for an
           administrator to override the behaviour of a given rc.d(8) script
           without requiring the editing of that script.
Beware that for this to work as intended, the rc script needs to call load_rc_config at the end, after any variable assignments/function definitions. I have seen some rc scripts that incorrectly call load_rc_config at the beginning, thereby preventing any overrides from working.
 
Back
Top