On 7/13/20 4:21 PM, Phoenix, Merka wrote:>>> I need to set the umask for apache to 002. I've tried every idea I've found on the internet, but nothing make a difference. Most suggest that I put "umask 002" in /etc/sysconfig/httpd, but that doesn't seem to make a difference.>> >>> Other's suggest adding something to the httpd.service script for systemd. And that doesn't make any difference. >>> >>> Any suggestion from this list would be appreciated. >>> >>> Emmett > > SystemD does have a directive for UMask in their "unit" scripts under the '[service]' section > > See: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#UMask> [ https :// www. freedesktop. org /software/systemd/man/systemd.exec.html#UMask= ] > and also: > https://man7.org/linux/man-pages/man5/systemd.exec.5.html > [ https :// man7. org /linux/man-pages/man5/systemd.exec.5.html ] > > Several posts on StackExchange indicate that the name of the directive 'UMask' is case-sensitive, so it must match the first two letters as UPPERcase, the remainder lowercase. > > This posting at ServerFault provides the exact steps: > https://serverfault.com/questions/924960/how-to-set-umask-for-apache-on-amazon-linux-2-ami > > [ https :// serverfault. com /questions/924960/how-to-set-umask-for-apache-on-amazon-linux-2-ami ] > > Depending on how Apache httpd is called (for example, if there is a wrapper script called instead of an executable), there may be other players in the mix that would influence what the process ends up with for its umask. > > Start first with how Apache httpd is called by SystemD, and trace it out to the binary (see if your script(s) call any other scripts). Worst case, you could go the opposite route and have the unit script call a bash script instead of the executable directly, and the bash script can set umask right before it calls the httpd binary. > > Cheers! > > Simba > EngineeringThanks for the info. I hadn't seen that before nor many of the links. I had seen the suggested systemd fix, but have never been able got them to work. And I've tried many combinations. Still no luck. There has to be a way to get this done. Emmett
On Wed, Jul 15, 2020 at 2:39 AM Emmett Culley via CentOS <centos at centos.org> wrote:> > Thanks for the info. I hadn't seen that before nor many of the links. I > had seen the suggested systemd fix, but have never been able got them to > work. And I've tried many combinations. Still no luck. > > There has to be a way to get this done. > > Emmett > >Hi, what is the original need? Could it be that you can accomplish the desired effect using ACL on particular directories/files? Gianluca
On 7/15/20 2:39 AM, Gianluca Cecchi wrote:> On Wed, Jul 15, 2020 at 2:39 AM Emmett Culley via CentOS <centos at centos.org <mailto:centos at centos.org>> wrote: > > > Thanks for the info.? I hadn't seen that before nor many of the links.? I had seen the suggested systemd fix, but have never been able got them to work. And I've tried many combinations.? Still no luck. > > There has to be a way to get this done. > > Emmett > > > Hi, > what is the original need? Could it be that you can accomplish the desired effect using ACL on particular directories/files? > > GianlucaMight could, but that seems like overkill for my purposes, as I don't use ACLs anywhere else. I cannot be the only developer that needs apache created files to be managed by a group. The truth is some sites, like wordpress or joomla, can be better managed when a group member can read or write apache created files. Like via SFTP or local FTP. Today, I have to make all files world writable to update joomla, and that could be better managed by allowing the owning group to access those files. In the case where the client manages the site, I have to log into the server and change the permissions every time they update the site. Or even to update most plugins. Wprdpress sites are better, but even then, I still sometimes need to set and unset explicit file permissions depending on the plugins installed. All this would not be an issue if apache created files with a unask of 002. One simple adjustment to the server to allow us to use normal Linux file permissions to manage files. If I don't find a solution to this I guess I'll have to use your ACL suggestion. It is getting to be pain to manage multiple sites in the current manner. Surely someone knows how to force apache to use a umask of 002, other than building from source. Emmett