56

I am setting up a LAMP server and would like to set Apache's umask setting to 002 so that all Apache-created files have the group write permission bit set (so members of the same group can overwrite the files).

Does anyone know how to do this? I know that on Ubuntu, you can use the /etc/apache2/envvars file to configure the umask, but the server is running CentOS.

Update This question is related to another I asked a while ago (Linux users and groups for a LAMP server). If prefered, please update this other question with what the best set-up is to use for having a developer user on a server that can edit files created by the apache user.

Community
  • 1
  • 1
DavidWinterbottom
  • 6,028
  • 5
  • 35
  • 39
  • 2
    I got here while trouble shooting an issue with apache on Ubuntu 10.04 LTS. Originally, adding /etc/apache2/envvars did not work. After doing an 'apt-get update' and 'apt-get upgrade' and reboot. It started working as expected. (Note version of apache is now listed as "2.2.14-5ubuntu8.4" afraid I didn't pull what it was before.) Anyway, if you are having issues, try the upgrade. – Alan W. Smith May 31 '11 at 23:11
  • 1
    On Ubuntu, I couldn't get it to work by simply restarting using `apache2ctl restart` (or `apache2ctl graceful`). But stopping and then starting worked...`service apache2 restart` also worked (`service apache2 graceful` did not). – Matt Browne Jan 11 '13 at 18:05

11 Answers11

118

For CentOS and other Red Hat distros, add the umask setting to /etc/sysconfig/httpd and restart apache.

[root ~]$ echo "umask 002" >> /etc/sysconfig/httpd
[root ~]$ service httpd restart

More info: Apache2 umask | MDLog:/sysadmin

For Debian and Ubuntu systems, you would similarly edit /etc/apache2/envvars.

cweiske
  • 27,869
  • 13
  • 115
  • 180
Patrick Fisher
  • 7,445
  • 5
  • 30
  • 26
  • 1
    Thanks, this worked for me. Is it possible to set the umask through a vhost config? – Mike Purcell Jan 26 '12 at 17:53
  • No, you can't set the apache process umask through a vhost config. – Patrick Fisher Mar 01 '12 at 19:14
  • 1
    On Ubuntu, I couldn't get it to work by simply restarting using `apache2ctl restart` (or `apache2ctl graceful`). But stopping and then starting worked...`service apache2 restart` also worked (`service apache2 graceful` did not). – Matt Browne Jan 11 '13 at 18:04
  • 5
    @MattB.That's because a graceful doesn't actually kill the main apache process. It tells all the forked children to finish up what they are doing (serve your last request) then DIE. The new children are created with the new configuration changes. Certain configuration changes require the parent to be killed and restarted, and umask is one of those changes. I hope that makes sense. – Patrick James McDougle Mar 14 '13 at 15:08
  • 2
    This does not work on Centos7.4 but Luoti's answer did, though this makes more sense to me... – Vic Apr 30 '18 at 13:11
30

This was the first result in Google search results for "CentOS 7 apache umask", so I will share what I needed to do to get this work with CentOS 7.

With CentOS 7 the echo "umask 002" >> /etc/sysconfig/httpd -method did not work for me.

I did overwrite the systemd startup file by creating a folder /etc/systemd/system/httpd.service.d and there I created a file umask.conf with lines:

[Service]
UMask=0007

Booted and it worked for me.

Spider man
  • 3,006
  • 4
  • 25
  • 41
Luoti
  • 301
  • 3
  • 5
  • Works fine also for Debain, except that path should be `/etc/systemd/system/apache2.service.d/override.conf`. – dma_k Feb 14 '19 at 20:54
  • 1
    UMask=0007 creates files with owner=r/w, group=r/w, and others=none. Use Umask=0002 for owner=r/w, group=r/w and others=r, i.e. read/write for owners or group members and read-only for all others. – pbnelson Jan 16 '20 at 17:08
  • 2
    UMask=0002 is the correct mask, at least for my purposes. The httpd service, owned by the apache user, creates files (such as error.log, activity.log, debug.log, etc.) with -rw-rw-r-- permission. Users added to the apache group will have full access to these files. – UncaAlby Jun 15 '20 at 20:44
8

Apache inherits its umask from its parent process (i.e. the process starting Apache); this should typically be the /etc/init.d/ script. So put a umask command in that script.

heemayl
  • 32,535
  • 3
  • 52
  • 57
Martin v. Löwis
  • 115,074
  • 16
  • 187
  • 226
  • 1
    Perfect. Works fine on Debian with Apache 2 (the namme of the script to modify is /etc/init.d/apache2 in such case) – Fedir RYKHTIK Sep 01 '11 at 14:51
  • 15
    The answer by Patrick Fisher below gives much better advice as modifying apache init scripts directly is dangerous - all your changes might be lost at the next update. – Michael Pliskin Oct 27 '11 at 14:33
  • Where do I exactly put `umask` in that file? – NRG May 10 '17 at 11:13
  • Unfortunately, this is an Old question with an Old accepted answer, and isn't going to work in Redhat/CentOS 7/8, which has abandoned the /etc/init.d structure. – UncaAlby Jun 15 '20 at 20:30
3

Adding a umask command to /etc/apache2/envvars does not seem like a good idea to me, not only because of the name of the file (mentioning variables only) but also based on this comment found in that file:

# Since there is no sane way to get the parsed apache2 config in scripts, some
# settings are defined via environment variables and then used in apache2ctl,
# /etc/init.d/apache2, /etc/logrotate.d/apache2, etc.

This suggests that /etc/apache2/envvars might be sourced by any script doing Apache-related tasks, and changing the umask of those (unknown beforehand) scripts is rather dangerous.

On the other hand, in case the idea of changing the umask of Apache targets relaxing the permissions of files created by mod_dav, you should consider that the DAV repository is considered private to Apache and letting other processes access those files may lead to various isses (including corruption).

Ferenc Wágner
  • 196
  • 9
2

Adding to answer by Luoti / Spider Man for CentOS7: instead of "booting" after the change, these commands can be used:

systemctl daemon-reload
service httpd restart
Erik Liljencrantz
  • 61
  • 4
  • It does warn you when you attempt to restart the service that the daemon-reload is necessary due to changes in the system configurations. All I did was copy-and-paste part of the warning message to the command line, then did the restart again, and all was good to go. – UncaAlby Jun 15 '20 at 20:54
1

In Debian another place to set up the umask for Apache is /etc/default/apache2. Just this line at the end of this file : umask 0002

Francis
  • 11
  • 1
1

What you may want to do is to instead set the groups sticky bit (SetGID) bit on the directory your CGI is working with:

chgrp mygroup dir chmod g+s dir

Make sure when you do this that (user) apache is in the mygroup group (in /etc/group), so it will have permissions.

This will make it so any file created under this directory will be owned by the same group as the directory.

This is a safer approach than setting a global umask for EVERY cgi script that apache may run.

(This is how git-http-backend is typically run from Apache).

Brad
  • 10,528
  • 7
  • 48
  • 68
  • 2
    I still don't see how this will work without a `umask` considering the default file creation mode by apache usually (755) leaves files unwritable by group. I'm stuck having to frequently run `chmod g+w -R dir/` – Jeff Puckett Oct 12 '17 at 15:02
  • This is an excellent thing to do, especially in a development environment where developers are adding and removing files all the time. However, the umask still needs to be set. The well-known solution for normal users is to add the command to /etc/profile or /etc/bashrc, but the apache user is not "normal" in that it never logs in. – UncaAlby Jun 15 '20 at 20:57
0

For Ubuntu there is tool svnwrap

  1. Install sudo apt-get install subversion-tools
  2. Wrap svn and svnserve with svnwrap:
    sudo ln -s /usr/bin/svnwrap /usr/local/bin/svn
    sudo ln -s /usr/bin/svnwrap /usr/local/bin/svnserve

After this all svn operations using file://, svn+ssh:// and http:// protocols will be done with umask 002

AndreyP
  • 1,962
  • 1
  • 23
  • 14
0

Here it might be helpful.

Managing file permissions for rhel/centos

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/file-permissions-rhel8_configuring-basic-system-settings#displaying-the-umask_file-permissions-rhel8

# ls -lrt /etc/systemd/system/httpd.service.d/umask.conf
-rw-r--r-- 1 root root 21 Feb 25 10:19 /etc/systemd/system/httpd.service.d/umask.conf

# cat /etc/systemd/system/httpd.service.d/umask.conf
[Service]
UMask=0002
caot
  • 2,274
  • 22
  • 30
0

Luoti's answer work for me on CentOS7.

System boot or reboot is not required.

You may get this warning when you restart the service using command systemctl restart httpd

`Warning: httpd.service changed on disk. Run 'systemctl daemon-reload' to reload units`.

So first run systemctl daemon-reload command then systemctl restart httpd

prograshid
  • 690
  • 2
  • 10
  • 28
-12

Drifting away from the "tried and true Apache way" is usually not recommended. Lots of time and hard won experience has gone into the selection of such things.

GEOCHET
  • 20,623
  • 15
  • 71
  • 98
Rob Wells
  • 34,617
  • 13
  • 76
  • 144
  • 3
    Must have been asleep when that memo was passed around - any links for the tried and tested way? – DavidWinterbottom Jan 09 '09 at 15:26
  • @Maine, it's not FUD. Google umask 002 apache and take your pick. – Rob Wells Sep 17 '09 at 16:38
  • @DavidWinterbottom, this has been policy since the mid-nineties for the site that I'm associated with. Thiird biggest website in the world btw. – Rob Wells Sep 17 '09 at 16:43
  • Forgot to say, see also the book of "lock it down unless you really need it" security. Only explicitly allow what you want to allow. – Rob Wells Sep 17 '09 at 16:53
  • 13
    @Rob - Using a umask of 002 will not be a problem unless the apache user's primary group contains untrusted users (which would be a terrible setup) or Apache is a member of a group with untrusted users /and/ is writing to a directory owned by that group with the setgid bit set. Further, the Apache way is the Unix way - to create files using the most permissive values, and let the local sysadmin determine appropriate permission restrictions using the umask. Ergo, this is misguided FUD. – dannysauer Aug 12 '10 at 14:50
  • 1
    @RobWells, I agree. "Tried something and it works but have no clue why" creates most of the security issues. Stackoverflow is full of such content. – o0x258 Apr 17 '18 at 10:33
  • 1
    @ora-600 agreed. The Pragmatic Programmers call that "programming by coincidence"! – Rob Wells Apr 19 '18 at 10:42