How do I set default umask in Apache on Debian?

Question

I need files created by apache2 to have umask 002, i.e. group rw, by default.

I've tried putting umask 002 in /etc/apache2/envvars and although this script does get executed as part of apache start up (apache2ctl graceful) the umask has no effect. Presumably somewhere further in the start up process (e.g. when the user is downgraded from root to www-data) there's somewhere better to put this.

I've read posts about Fedora and one suggesting putting umask in /etc/init.d/apache2 but neither of these apply/work in Debian (Squeeze).

Can you help?

You should try to restart Apache with "/etc/init.d/apache2 restart" or "service apache2 restart" — Jens Bradler, Apr 28 '12 at 17:55
In my test, I'm using file_put_contents(). but the code I'm trying to 'fix' with this is Drupal's Less module (which creates cached versions of processed Less CSS files). My specific problem is that I cannot run `drush cc all` as my user because it errors out on all these www-data created cache files. — artfulrobot, Apr 30 '12 at 09:15

score 14 · Accepted Answer · edited Dec 06 '16 at 13:33

To be sure that the umask setting takes effect please use a simple test and do not use any other web application for this. It might be the case that these application change the rights independently from the umask setting of Apache.

Simple test PHP script:

<?php
if ($fp = fopen(time() . '.txt', 'w')) {
  fwrite($fp, 'This is a simple test.');
  fclose($fp);
  echo "done";
} else {
  echo "error - cannot create file";
}
?>

Take care that the user www-data has write access to the folder where you have installed this simple test file.

To have the new umask running, check if the file /etc/apache2/envvars will be used within your Apache start file /etc/init.d/apache2 :

...
PIDFILE=$(. /etc/apache2/envvars && echo $APACHE_PID_FILE)
...

Set your umask in /etc/apache2/envvars :

...
# umask 002 to create files with 0664 and folders with 0775
umask 002

Restart your Apache :

service apache2 restart

Check the difference :

#> ls -l *.txt
-rw-rw-r-- 1 www-data www-data  14 2012-05-01 15:56 1335880583.txt
-rw-r--r-- 1 www-data www-data  14 2012-05-01 15:55 1335880540.txt

Thank you! Even if it made me feel like an idiot to read it (I had the wrong octal for group rw) \*blush\* — artfulrobot, May 01 '12 at 15:26
Your little PHP snippet saved my sanity, PDO Sqlite3 Wordpress plugin will always set group to read only for it's database file. — Daniel Sokolowski, Feb 17 '16 at 06:12

score 3 · Answer 2 · edited Jun 14 '18 at 08:48

3

If you run multiple sites you can set default group permission using Access Control Lists (ACL) per directory like so:

Set setid flag to force all new files to inherit group from directory:

# chmod g+s wordpress

Make new files have rw for the group permissions, ex. so that www-data can write to files SFTPed by the upload user:

# setfacl --default --modify group::rwx wordpress

Confirm the ACL is like so:

# getfacl wordpress
# file: wordpress
# owner: carissacosgrove
# group: www-data
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:other::r-x

Create a file to confirm it worked:

# ll test
-rw-rw-r-- 1 root www-data 0 Feb 17 01:09 test

edited Jun 14 '18 at 08:48

kubanczyk

13,502
5
40
55

answered Feb 17 '16 at 06:13

Daniel Sokolowski

859
7
9

Won't this be problematic if the application is trying to write files with reduced permission on purpose? – berbt Feb 20 '16 at 22:28
Not at all, the application will just write with reduced permissions which actually confused me for a bit initially - http://stackoverflow.com/questions/28454551/pdo-sqlite-create-database-default-permissions – Daniel Sokolowski Feb 20 '16 at 23:07
1

I think this command `setfacl --default --modify group:rwx wordpress` is missing a colon. It should be `setfacl --default --modify group::rwx wordpress` – Marcos Sep 20 '16 at 14:16

duplexddaann · Answer 3 · 2019-12-18T00:58:34.603

2

(For Debian Stretch that uses systemd - Thanks womble!)

Put UMask=0002 in the Apache2 systemd service unit file, reload the service unit, and then restart Apache2.

$ pwd
/etc/systemd/system/multi-user.target.wants

$ cat apache2.service
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target

[Service].
.
.
.
UMask=0002

$ sudo systemctl daemon-reload
$ sudo systemctl restart apache2

edited Dec 18 '19 at 00:58

answered Dec 16 '19 at 21:08

duplexddaann

21
2

Debian Squeeze didn't use systemd. – womble Dec 16 '19 at 23:58
Ah yes, at the end of the body of the original question they do say Debian Squeeze. As the question was from ~8 years ago as of today, and as I was trying to solve the problem posed in the title with the latest Debian as of late 2019, that is what I posted. I think most people searching for a solution today as opposed to eight years ago may benefit from my solution, so I'll just leave what I put in. Thanks for pointing that out. – duplexddaann Dec 18 '19 at 00:51

How do I set default umask in Apache on Debian?

3 Answers3

Linked