I need to set the umask for apache to 002. I've tried every idea I've found on the internet, but nothing make a difference. Most suggest that I put "umask 002" in /etc/sysconfig/httpd, but that doesn't seem to make a difference. Other's suggest adding something to the httpd.service script for systemd. And that doesn't make any difference. Any suggestion from this list would be appreciated. Emmett
>> I need to set the umask for apache to 002. I've tried every idea I've found on the internet, but nothing make a difference. Most suggest that I put "umask 002" in /etc/sysconfig/httpd, but that doesn't seem to make a difference.>> >> Other's suggest adding something to the httpd.service script for systemd. And that doesn't make any difference. >> >> Any suggestion from this list would be appreciated. >> >> EmmettSystemD does have a directive for UMask in their "unit" scripts under the '[service]' section See: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#UMask[ https :// www. freedesktop. org /software/systemd/man/systemd.exec.html#UMask= ] and also: https://man7.org/linux/man-pages/man5/systemd.exec.5.html [ https :// man7. org /linux/man-pages/man5/systemd.exec.5.html ] Several posts on StackExchange indicate that the name of the directive 'UMask' is case-sensitive, so it must match the first two letters as UPPERcase, the remainder lowercase. This posting at ServerFault provides the exact steps: https://serverfault.com/questions/924960/how-to-set-umask-for-apache-on-amazon-linux-2-ami [ https :// serverfault. com /questions/924960/how-to-set-umask-for-apache-on-amazon-linux-2-ami ] Depending on how Apache httpd is called (for example, if there is a wrapper script called instead of an executable), there may be other players in the mix that would influence what the process ends up with for its umask. Start first with how Apache httpd is called by SystemD, and trace it out to the binary (see if your script(s) call any other scripts). Worst case, you could go the opposite route and have the unit script call a bash script instead of the executable directly, and the bash script can set umask right before it calls the httpd binary. Cheers! Simba Engineering
On 7/13/20 4:21 PM, Phoenix, Merka wrote:>>> I need to set the umask for apache to 002. I've tried every idea I've found on the internet, but nothing make a difference. Most suggest that I put "umask 002" in /etc/sysconfig/httpd, but that doesn't seem to make a difference.>> >>> Other's suggest adding something to the httpd.service script for systemd. And that doesn't make any difference. >>> >>> Any suggestion from this list would be appreciated. >>> >>> Emmett > > SystemD does have a directive for UMask in their "unit" scripts under the '[service]' section > > See: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#UMask> [ https :// www. freedesktop. org /software/systemd/man/systemd.exec.html#UMask= ] > and also: > https://man7.org/linux/man-pages/man5/systemd.exec.5.html > [ https :// man7. org /linux/man-pages/man5/systemd.exec.5.html ] > > Several posts on StackExchange indicate that the name of the directive 'UMask' is case-sensitive, so it must match the first two letters as UPPERcase, the remainder lowercase. > > This posting at ServerFault provides the exact steps: > https://serverfault.com/questions/924960/how-to-set-umask-for-apache-on-amazon-linux-2-ami > > [ https :// serverfault. com /questions/924960/how-to-set-umask-for-apache-on-amazon-linux-2-ami ] > > Depending on how Apache httpd is called (for example, if there is a wrapper script called instead of an executable), there may be other players in the mix that would influence what the process ends up with for its umask. > > Start first with how Apache httpd is called by SystemD, and trace it out to the binary (see if your script(s) call any other scripts). Worst case, you could go the opposite route and have the unit script call a bash script instead of the executable directly, and the bash script can set umask right before it calls the httpd binary. > > Cheers! > > Simba > EngineeringThanks for the info. I hadn't seen that before nor many of the links. I had seen the suggested systemd fix, but have never been able got them to work. And I've tried many combinations. Still no luck. There has to be a way to get this done. Emmett
On 7/13/20 6:40 PM, Emmett Culley via CentOS wrote:> I need to set the umask for apache to 002.? I've tried every idea I've found on the internet, but nothing make a difference.? Most suggest that I put "umask 002" in /etc/sysconfig/httpd, but that doesn't seem to make a difference.? Other's suggest adding something to the httpd.service script for systemd.? And that doesn't make any difference.I had a couple sideline emails with Emmett about suexec possibly being the culprit.? TL;DR: that's not it. The apache suexec utility can enforce a umask (typically 022) on CGI and SSI (server-side includes).? Taking a look at the source in support/suexec.c, if compiled with AP_SUEXEC_UMASK set to some value, it will set the umask; else there is no umask change.? AP_SUEXEC_UMASK is set via ./configure with --with-suexec-umask. In CentOS 8 httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.src.rpm the httpd.spec for ./configure with suexec-related configuration flags are notably absent of --with-suexec-umask.? I also did a prep of the sources and no patches modify the suexec sources in this way.? I similarly checked CentOS 7.8 httpd-2.4.6-93.el7.centos.src.rpm with the same result. Just thought I'd share my dead-end attempt to help since suexec hasn't been mentioned.? :-)
> On 7/13/20 6:40 PM, Emmett Culley via CentOS wrote: >> I need to set the umask for apache to 002.? I've tried every idea I've >> found on the internet, but nothing make a difference.? Most suggest that >> I put "umask 002" in /etc/sysconfig/httpd, but that doesn't seem to make >> a difference.? Other's suggest adding something to the httpd.service >> script for systemd.? And that doesn't make any difference. > > I had a couple sideline emails with Emmett about suexec possibly being the > culprit.? TL;DR: that's not it. > > The apache suexec utility can enforce a umask (typically 022) on CGI and > SSI (server-side includes).? Taking a look at the source in > support/suexec.c, if compiled with AP_SUEXEC_UMASK set to some value, it > will set the umask; else there is no umask change.? AP_SUEXEC_UMASK is set > via ./configure with --with-suexec-umask. > > In CentOS 8 httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.src.rpm the > httpd.spec for ./configure with suexec-related configuration flags are > notably absent of --with-suexec-umask.? I also did a prep of the sources > and no patches modify the suexec sources in this way.?I may have missed something but it seems to work in my test: # grep -i umask /proc/<http_worker>/status Umask: 0022 # cat /etc/systemd/system/httpd.service.d/override.conf [Service] UMask=0002 # systemctl edit httpd.service < enter override config > <reload/restart httpd> # grep -i umask /proc/<http_worker>/status Umask: 0002 That's what you are looking for, isn't it? I didn't test to write files but at least the umask on the process is set as it seems. Regards, Simon