[CentOS] Apache umask

Tue Jul 21 19:22:35 UTC 2020
Emmett Culley <lst_manage at webengineer.com>

On 7/21/20 9:59 AM, Simon Matter wrote:
>> On 7/19/20 10:41 PM, Simon Matter via CentOS wrote:
>>>> On 7/13/20 6:40 PM, Emmett Culley via CentOS wrote:
>>>>> I need to set the umask for apache to 002.  I've tried every idea I've
>>>>> found on the internet, but nothing make a difference.  Most suggest
>>>>> that
>>>>> I put "umask 002" in /etc/sysconfig/httpd, but that doesn't seem to
>>>>> make
>>>>> a difference.  Other's suggest adding something to the httpd.service
>>>>> script for systemd.  And that doesn't make any difference.
>>>>
>>>> I had a couple sideline emails with Emmett about suexec possibly being
>>>> the
>>>> culprit.  TL;DR: that's not it.
>>>>
>>>> The apache suexec utility can enforce a umask (typically 022) on CGI
>>>> and
>>>> SSI (server-side includes).  Taking a look at the source in
>>>> support/suexec.c, if compiled with AP_SUEXEC_UMASK set to some value,
>>>> it
>>>> will set the umask; else there is no umask change.  AP_SUEXEC_UMASK is
>>>> set
>>>> via ./configure with --with-suexec-umask.
>>>>
>>>> In CentOS 8 httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.src.rpm the
>>>> httpd.spec for ./configure with suexec-related configuration flags are
>>>> notably absent of --with-suexec-umask.  I also did a prep of the
>>>> sources
>>>> and no patches modify the suexec sources in this way.
>>>
>>> I may have missed something but it seems to work in my test:
>>>
>>> # grep -i umask /proc/<http_worker>/status
>>> Umask:	0022
>>>
>>> # cat /etc/systemd/system/httpd.service.d/override.conf
>>> [Service]
>>> UMask=0002
>>>
>>> # systemctl edit httpd.service
>>> < enter override config >
>>>
>>> <reload/restart httpd>
>>>
>>> # grep -i umask /proc/<http_worker>/status
>>> Umask:	0002
>>>
>>> That's what you are looking for, isn't it?
>>>
>>> I didn't test to write files but at least the umask on the process is
>>> set
>>> as it seems.
>>>
>>> Regards,
>>> Simon
>>>
>> How can I find the value for <http_worker>?
>>
>> Emmett
> 
> W£ith <http_worker> I meant the processes running httpd. Try this:
> 
> ps faxu | grep http[d]
> 
> This will give you the list of PIDs and the UID running it. First PID is
> usually run by root and the children are run by user apache.
> 
> Regards,
> Simon
> 

That's what I thought, but didn't see any results.  I may have had apache stopped because of system d errors.  I did it just now and saw six threads and each show a umask of 0002.

So it looks like the changes I made to systemd config made a difference after all.  Since I am still seeing that group write is not getting set it must be the application.

Thanks for helping me to see that.

Emmett