[CentOS] Apache umask

Tue Jul 21 16:59:28 UTC 2020
Simon Matter <simon.matter at invoca.ch>

> On 7/19/20 10:41 PM, Simon Matter via CentOS wrote:
>>> On 7/13/20 6:40 PM, Emmett Culley via CentOS wrote:
>>>> I need to set the umask for apache to 002.  I've tried every idea I've
>>>> found on the internet, but nothing make a difference.  Most suggest
>>>> that
>>>> I put "umask 002" in /etc/sysconfig/httpd, but that doesn't seem to
>>>> make
>>>> a difference.  Other's suggest adding something to the httpd.service
>>>> script for systemd.  And that doesn't make any difference.
>>>
>>> I had a couple sideline emails with Emmett about suexec possibly being
>>> the
>>> culprit.  TL;DR: that's not it.
>>>
>>> The apache suexec utility can enforce a umask (typically 022) on CGI
>>> and
>>> SSI (server-side includes).  Taking a look at the source in
>>> support/suexec.c, if compiled with AP_SUEXEC_UMASK set to some value,
>>> it
>>> will set the umask; else there is no umask change.  AP_SUEXEC_UMASK is
>>> set
>>> via ./configure with --with-suexec-umask.
>>>
>>> In CentOS 8 httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.src.rpm the
>>> httpd.spec for ./configure with suexec-related configuration flags are
>>> notably absent of --with-suexec-umask.  I also did a prep of the
>>> sources
>>> and no patches modify the suexec sources in this way.
>>
>> I may have missed something but it seems to work in my test:
>>
>> # grep -i umask /proc/<http_worker>/status
>> Umask:	0022
>>
>> # cat /etc/systemd/system/httpd.service.d/override.conf
>> [Service]
>> UMask=0002
>>
>> # systemctl edit httpd.service
>> < enter override config >
>>
>> <reload/restart httpd>
>>
>> # grep -i umask /proc/<http_worker>/status
>> Umask:	0002
>>
>> That's what you are looking for, isn't it?
>>
>> I didn't test to write files but at least the umask on the process is
>> set
>> as it seems.
>>
>> Regards,
>> Simon
>>
> How can I find the value for <http_worker>?
>
> Emmett

W£ith <http_worker> I meant the processes running httpd. Try this:

ps faxu | grep http[d]

This will give you the list of PIDs and the UID running it. First PID is
usually run by root and the children are run by user apache.

Regards,
Simon