[CentOS] Apache umask

Sat Jul 18 19:51:45 UTC 2020
Emmett Culley <lst_manage at webengineer.com>

On 7/15/20 12:21 PM, Leon Fauster via CentOS wrote:
> Am 15.07.20 um 20:02 schrieb Emmett Culley via CentOS:
>> On 7/15/20 2:39 AM, Gianluca Cecchi wrote:
>>> On Wed, Jul 15, 2020 at 2:39 AM Emmett Culley via CentOS <centos at centos.org <mailto:centos at centos.org>> wrote:
>>>
>>>
>>>     Thanks for the info.  I hadn't seen that before nor many of the links.  I had seen the suggested systemd fix, but have never been able got them to work. And I've tried many combinations.  Still no luck.
>>>
>>>     There has to be a way to get this done.
>>>
>>>     Emmett
>>>
>>>
>>> Hi,
>>> what is the original need? Could it be that you can accomplish the desired effect using ACL on particular directories/files?
>>>
>>> Gianluca
>>
>> Might could, but that seems like overkill for my purposes, as I don't use ACLs anywhere else.  I cannot be the only developer that needs apache created files to be managed by a group.  The truth is some sites, like wordpress or joomla, can be better managed when a group member can read or write apache created files.  Like via SFTP or local FTP.
>>
>> Today, I have to make all files world writable to update joomla, and that could be better managed by allowing the owning group to access those files.  In the case where the client manages the site, I have to log into the server and change the permissions every time they update the site.  Or even to update most plugins.
> 
> 
> This is best addressed in the application.
> 
> For example in wordpress you can set
> 
> define( 'FS_CHMOD_DIR', ( 0775 & ~ umask() ) );
> define( 'FS_CHMOD_FILE', ( 0664 & ~ umask() ) );
> 
> 
> 
>> Wprdpress sites are better, but even then, I still sometimes need to set and unset explicit file permissions depending on the plugins installed.
>>
>> All this would not be an issue if apache created files with a unask of 002.  One simple adjustment to the server to allow us to use normal Linux file permissions to manage files.
>>
>> If I don't find a solution to this I guess I'll have to use your ACL suggestion. It is getting to be pain to manage multiple sites in the current manner.
> 
> 
> If the application is to dumpy then ACL is your solution.
> ACL has a default flag that allows setting permissions that
> gets heritaged. So that files in the future get the right permissions.
> 
> 
> 
>> Surely someone knows how to force apache to use a umask of 002, other than building from source.
> 
> Not a best practice.
> 

Can you suggest why allowing apache to create a file that is group writable in a directory that has the gid bit set, and owned by a group designated by the sysadmin, would be a "bad practice"?

Adding the FS_CHMOD* settings to an application is not always possible and should not be necessary given access to setting the UMASK for an application.

The purpose of the UMASK is to allow server owners the ability to make that server perform best for their purposes.

Since no one seems to have an answer to setting the UMASK for apache than l'll have to use ACLs as others have suggested.

Emmett