# How to set umask for apache?



## msteiner (May 25, 2011)

Hi,

I tried to give the www user a login shell (sh) and set in .profile

```
umask 002
```
 When I do [cmd=]sudo su - www[/cmd] I have the correct umask.


```
$ sudo su - www
$ umask
0002
```

But when I start the webserver it does not affect it.

I set 
	
	



```
umask 002
```
 in /usr/local/etc/rc.d/apache but I normally avoid to modify such files, because they could be modified/kicked due to a *portupdate*.

Any ideas?

BTW: my problem is, I have inside my /home some webroots, and when Apache creates files (php, joomla) the files are in the group www (which I'm in of course) but in 644 so I can't modify/delete them without sudo or root permissions.


----------



## anomie (May 25, 2011)

msteiner said:
			
		

> I tried to give the www user a login shell (sh) and set in .profile
> 
> ```
> umask 002
> ...



That's because you're not executing a login shell for that user. 



			
				msteiner said:
			
		

> I set
> 
> 
> 
> ...



Setting umask in the rc.d script should work. (Have you tried it?) I agree that a later port update could overwrite it, though. You might consider keeping the current production version under rcs(1) or some such, and testing for changes following updates. 



			
				msteiner said:
			
		

> BTW: my problem is, I have inside my /home some webroots, and when Apache creates files (php, joomla) the files are in the group www (which I'm in of course) but in 644 so I can't modify/delete them without sudo or root permissions.



I'm curious to explore this point more. Under what circumstances are you trying to modify/delete www-created files?


----------



## msteiner (May 25, 2011)

anomie said:
			
		

> That's because you're not executing a login shell for that user.



Hm, I set /bin/sh instead of /usr/bin/nologin and set the home directory to /home/www/, think this should be enough for a login shell?!



			
				anomie said:
			
		

> Setting umask in the rc.d script should work. (Have you tried it?) I agree that a later port update could overwrite it, though. You might consider keeping the current production version under rcs(1) or some such, and testing for changes following updates.



Yes, this works like a charm, files and directories are now created read/writeable for the group www.



			
				anomie said:
			
		

> I'm curious to explore this point more. Under what circumstances are you trying to modify/delete www-created files?



My problem is that the webserver runs as user www, and I have inside my home directory some webhostings ~www/joomla for a joomla test environment. I work as my user (m.steiner) there, and when I install stuff with joomla internal functions the webserver uploads the files/creates files and directories. So the webserver creates files which I don't own and so I don't have the permissions to modify/delete them (I have to *chown* them with root and I try to avoid root usage).


----------



## msteiner (May 25, 2011)

msteiner said:
			
		

> ~www/joomla



I mean ~/www/joomla!


----------



## anomie (May 25, 2011)

msteiner said:
			
		

> Hm, I set /bin/sh instead of /usr/bin/nologin and set the home directory to /home/www/, think this should be enough for a login shell?!



Yes, but your rc.d script is launching httpd, _not_ a Bourne shell.  Why should it read ~/.profile, then? 



			
				msteiner said:
			
		

> Yes, this works like a charm, files and directories are now created read/writeable for the group www.
> 
> ...
> 
> My problem is that the webserver runs as user www, and I have inside my home directory some webhostings ~www/joomla for a joomla test environment. I work as my user (m.steiner) there, and when I install stuff with joomla internal functions the webserver uploads the files/creates files and directories. So the webserver creates files which I don't own and so I don't have the permissions to modify/delete them (I have to *chown* them with root and I try to avoid root usage).



I had a similar issue with a customer a few months back. My (arguably horrible) fix was to have a cronjob fix up ownership and permissions at regular intervals for a targeted set of directories. 

That or the rc.d script change are the most "elegant" suggestions I know of at this time.


----------



## DutchDaemon (May 25, 2011)

@msteiner, read the PM I sent you.


----------



## msteiner (May 26, 2011)

I found an interesting file/and the solution:

/usr/local/sbin/envvars

this file builds the environment for apachectl, it evaluates each file which matches *.env and is located in:

/usr/local/etc/apache22/envvars.d/

This  will do it:


```
# echo 'umask 2' > /usr/local/etc/apache22/envvars.d/umask.env
# /usr/local/etc/rc.d/apache22 restart
```


----------



## quintessence (May 26, 2011)

Hello,

*msteiner*, the intelligent solution is to set "root" (directory root of your web server) with *chmod* 775 and owner your_user:www, without changing any group, any rc.d starup script, adding shells to www user or etc.


```
drwxrwxr-x   2 bobi  www            512 May 26 14:42 upload

#ls -l upload
total 8
-rw-r--r--  1 bobi  www   294 May 26 14:33 index.html
-rw-r--r--  1 bobi  www  1202 May 26 14:38 upload.php
```

Here is my test directory for uploading in which I uploaded via web some png file.


```
-rw-r--r--  1 www   www  9317 May 26 14:47 11.png
-rw-r--r--  1 bobi  www   294 May 26 14:33 index.html
-rw-r--r--  1 bobi  www  1202 May 26 14:38 upload.php
```

Now I'll delete the uploaded file with my user:


```
$ id
uid=1001(bobi) gid=1001 groups=1001
$ rm 11.png
override rw-r--r--  www/www for 11.png? y
$ ls -l
total 8
-rw-r--r--  1 bobi  www   294 May 26 14:33 index.html
-rw-r--r--  1 bobi  www  1202 May 26 14:38 upload.php
```


----------



## msteiner (May 27, 2011)

Try to create a directory in php and create a file in this directory, the user has no permission to modify the file. (I guess) because the directory is created with 0755 and the files in it with 0644 so you are in the group www but you don't have permissions to modify files inside the directory.

You can delete a file, which you don't own, if you have the permission to modify the directory where the file is located in. I think this is because you modify the directory (remove a entry from the file list)


```
[mirko@server ~]$ mkdir a
[mirko@server ~]$ ls -la a
total 29
drwxr-xr-x   2 mirko  mirko    2 May 28 00:11 .
drwxr-xr-x  68 mirko  mirko  220 May 28 00:11 ..
[mirko@server ~]$ sudo touch a/b
[mirko@server ~]$ ls -l a/b
-rw-r--r--  1 root  mirko  0 May 28 00:11 a/b
[mirko@server ~]$ rm a/b 
override rw-r--r--  root/mirko for a/b? y
```

I set the setgid bit on directorys `$ find . -type d -exec chmod 2775 {}\;`, so when I create a file in the directory it gets owned by the group www, due to the umask 2 for the webserver and my user the files could be modified for both, the user and the webserver.


----------

