[CentOS] Apache umask

Wed Jul 15 19:21:39 UTC 2020
Leon Fauster <leonfauster at googlemail.com>

Am 15.07.20 um 20:02 schrieb Emmett Culley via CentOS:
> On 7/15/20 2:39 AM, Gianluca Cecchi wrote:
>> On Wed, Jul 15, 2020 at 2:39 AM Emmett Culley via CentOS 
>> <centos at centos.org <mailto:centos at centos.org>> wrote:
>>
>>
>>     Thanks for the info.  I hadn't seen that before nor many of the 
>> links.  I had seen the suggested systemd fix, but have never been able 
>> got them to work. And I've tried many combinations.  Still no luck.
>>
>>     There has to be a way to get this done.
>>
>>     Emmett
>>
>>
>> Hi,
>> what is the original need? Could it be that you can accomplish the 
>> desired effect using ACL on particular directories/files?
>>
>> Gianluca
> 
> Might could, but that seems like overkill for my purposes, as I don't 
> use ACLs anywhere else.  I cannot be the only developer that needs 
> apache created files to be managed by a group.  The truth is some sites, 
> like wordpress or joomla, can be better managed when a group member can 
> read or write apache created files.  Like via SFTP or local FTP.
> 
> Today, I have to make all files world writable to update joomla, and 
> that could be better managed by allowing the owning group to access 
> those files.  In the case where the client manages the site, I have to 
> log into the server and change the permissions every time they update 
> the site.  Or even to update most plugins.


This is best addressed in the application.

For example in wordpress you can set

define( 'FS_CHMOD_DIR', ( 0775 & ~ umask() ) );
define( 'FS_CHMOD_FILE', ( 0664 & ~ umask() ) );



> Wprdpress sites are better, but even then, I still sometimes need to set 
> and unset explicit file permissions depending on the plugins installed.
> 
> All this would not be an issue if apache created files with a unask of 
> 002.  One simple adjustment to the server to allow us to use normal 
> Linux file permissions to manage files.
> 
> If I don't find a solution to this I guess I'll have to use your ACL 
> suggestion. It is getting to be pain to manage multiple sites in the 
> current manner.


If the application is to dumpy then ACL is your solution.
ACL has a default flag that allows setting permissions that
gets heritaged. So that files in the future get the right permissions.



> Surely someone knows how to force apache to use a umask of 002, other 
> than building from source.

Not a best practice.


--
Leon