5

Setting up a new webserver in Ubuntu 14.04 and trying to wrangle file permissions for PHP generated files.

By default, all the directories and files in /var/www are owned/grouped to www-admin. Directory permissions are rwxrwsr-x and file permissions are rw-rw-r--.

We then set the group on a limited number of directories to www-data - this is so that PHP (via Apache) can write log and cache files in this location.

However, I cannot get PHP to obey a umask of 0002, and so files generated by PHP are only writeable to the www-data user. This is a problem, since we use continuous integration, and some other cleanup processes.

So far, I have:

  • Set the umask to 0002 in /etc/pam.d/common-session
  • Set the umask to 0002 in /etc/pam.d/common-session-noninteractive
  • Set the umask to 0002 in /etc/profile
  • Set the umask to 0002 in /etc/apache2/envvars
  • Set the umask to 0002 in /etc/login.defs
  • Set the umask to 0002 for www-data in /etc/passwd using sudo chfn -o "umask=002" daemon_username

And I'm still stuck.

I've stopped/started the service, and even restarted the computer - no joy.

HorusKol
  • 741
  • 5
  • 12
  • 31

4 Answers4

4

"umask 002" in /etc/apache2/envvars should work.

Take notice that Apache must be restarted by "service apache2 stop; service apache2 start" for taking effect, not by "service apache2 restart"!

See here if you need an more detailed sample: https://serverfault.com/a/384922/228027

Community
  • 1
user2743554
  • 357
  • 3
  • 12
  • 1
    Given the Ubuntu 14.04 /etc/init.d/apache2, how does "service apache2 stop; service apache2 start" differ from "service apache2 restart"? – andol Aug 29 '14 at 06:35
  • do_start in restart may be skipped depending on do_stop result. – user2743554 Aug 30 '14 at 07:15
  • Yeah, except in those situation you get an error and an exit. Hence, I really see no scenario where "service apache2 restart" can succeed, while still surprise you with the change not taking effect. – andol Aug 30 '14 at 09:43
  • Well, all of those changes "should" work according to the sources I got them from - I'm asking the question because it didn't - and I pretty much always do a complete stop and start instead of restart these days. – HorusKol Aug 31 '14 at 23:12
  • @andol - i've had restarts silently fail with some mis-configurations (particularly SSL stuff that don't get picked up with a configtest). – HorusKol Aug 31 '14 at 23:13
2

If you run multiple sites you can set default group permission using Access Control Lists (ACL) per directory like so:

Set setid flag to force all new files to inherit group from directory:

root@sh1:/srv/www/php/fastwarren.ca# chmod g+s wordpress

Make new files have rw for the group permissions, ex. so that www-data can write to files SFTPed by the upload user:

root@sh1:/srv/www/php/fastwarren.ca# setfacl --default --modify group:rwx wordpress

Confirm the ACL is like so:

root@sh1:/srv/www/php/fastwarren.ca# getfacl wordpress
# file: wordpress
# owner: carissacosgrove
# group: www-data
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:other::r-x

Create a file to confirm it worked:

root@sh1:/srv/www/php/fastwarren.ca# ll test
-rw-rw-r-- 1 root www-data 0 Feb 17 01:09 test
Daniel Sokolowski
  • 859
  • 7
  • 9
2

The problem is that the files are being created by PHP-FPM. It's the parent process -- not apache2. The only way I could fix this is by adding the umask to /etc/init/php7.1-fpm.conf. Then restart PHP-FPM.

Related thread: Nginx/php-fpm umask setting.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Sean Ruiz
  • 21
  • 1
1

This wasn't working for me either untill I realized the following: PDO SQLite driver plugin for Wordpress will create the database file with group read permission only.

Test you sanity by using the create script from here: How do I set default umask in Apache on Debian?.

Community
  • 1
Daniel Sokolowski
  • 859
  • 7
  • 9