8

I have an http daemon server process (yaws) that I would like to have server write any new files with a umask of 002, so that another user in the same group can modify, move, or delete files created by the daemon process. This is on Ubuntu 10.04.

Unlike Apache, yaws does not have a configuration option for umask, so what methods are there for setting the umask of any daemon process?

I found this answer about changing the init script to add umask 002. This did work, but I'm not sure editing the init script is the best way of making this easy to document and configure on multiple machines.

I also found reference to the pam_umask module here. It looks like this allows per user settings of the umask to be configured in the GECOS field of /etc/passwd.

Are there any other ways to set the umask for daemon processes? And what would be the recommended way?

mp3foley
  • 608
  • 1
  • 5
  • 10

3 Answers3

5

On Ubuntu 10.04 global default umask settings can be controlled with the pam_umask module.

Some details were found on this blog related to Debian in general: http://muzso.hu/2008/01/22/default-permissions-with-libpam-umask

The pam_umask module is installed by default on Ubuntu 10.04, but needs to be configured.

Edit /etc/pam.d/common-session, adding the line:

session optional pam_umask.so umask=022

Then per user settings can be changed by running the command:

sudo chfn -o "umask=002" daemon_username

to add a umask setting to the GECOS field in /etc/passwd.

This only works for non-interactive, non-login shells such as when a daemon startup script is run at boot.

For login shells umask settings need to be removed from other shell configuration files such as /etc/profile, /etc/login.defs, or users home directory .profile, .bashrc, etc. Otherwise the pam_umask settings are overridden. See the pam_umask man page for the configuration order.

mp3foley
  • 608
  • 1
  • 5
  • 10
2

Create a .profile file in the daemon's home directory:

#!/bin/sh
umask 002

You can find the daemon's home directory by running:

getent passwd daemon | awk -F':' '{ print $6; }'

If that doesn't work, the only other solution I can think of would be to edit the /etc/init.d script.

Dennis Williamson
  • 60,515
  • 14
  • 113
  • 148
Zaz
  • 783
  • 1
  • 6
  • 17
  • 2
    getent passwd daemon | awk -F':' { print $6; } works too. – Janne Pikkarainen Aug 02 '10 at 10:34
  • 1
    There's no need to use `sudo` to read `/etc/passwd`. Or `cat` for that matter (`grep` will accept a filename as an argument or just use `getent` as Janne pointed out). – Dennis Williamson Aug 02 '10 at 10:51
  • This does not work under Ubuntu 10.04. This might be because /bin/sh is linked to /bin/dash, but I changed the daemons default shell to /bin/bash and still did not work. I think this is because $HOME/.profile does not get read by non-interactive and non-login bash or dash shells. I could not find any easy way to demonstrate this from the command line. Interactive shell umask can be shown with `sudo -u daemon bash -c umask`. I tested non-interactive by changing settings and restarting the daemon and looking at permissions on files it creates. – mp3foley Aug 03 '10 at 00:18
  • @mp3foley: I'm not familiar with `dash`, but `umask` should work in it. – Zaz Aug 03 '10 at 11:40
  • I have also asked question on the daemons (yaws) mailing list. The best way is to add the umask setting in the daemon startup script in /etc/init.d/. Someone is even patching the daemons source code. – mp3foley Aug 06 '10 at 03:21
  • The other method I mentioned using the pam_umask module also works, at least on Ubuntu 10.04. I will answer my own question with how to do that. – mp3foley Aug 06 '10 at 03:22
1

If the service is started via the tool "start-stop-daemon" the umask can be specified at command line level with the parameter "--umask" e.g:

log_daemon_msg "Starting $DESC" "$NAME"
if start-stop-daemon --start --oknodo --exec $DAEMON -b --chuid motion --umask 002 ; then
        log_end_msg 0
    else
        log_end_msg 1
        RET=1
    fi

Adjusting the start-script to read such details from an configuration file might be more transparent than adding user based settings - this of course depends on the startup procedure used for the daemon.

More information can be retrieved from the man-Page: man start-stop-daemon

Dirk
  • 11
  • 1