tags:

views:

5650

answers:

3
+5  Q: 

Setting the umask of the Apache user

I am setting up a LAMP server and would like to set Apache's umask setting to 002 so that all Apache-created files have the group write permission bit set (so members of the same group can overwrite the files).

Does anyone know how to do this? I know that on Ubuntu, you can use the /etc/apache2/envvars file to configure the umask, but the server is running CentOS.

Update This question is related to another I asked a while ago (http://stackoverflow.com/questions/174715/linux-users-and-groups-for-a-lamp-server). If prefered, please update this other question with what the best set-up is to use for having a developer user on a server that can edit files created by the apache user.

A: 

Drifting away from the "tried and true Apache way" is usually not recommended. Lots of time and hard won experience has gone into the selection of such things.

Rob Wells  2009-01-09 15:16:57
Must have been asleep when that memo was passed around - any links for the tried and tested way?
DavidWinterbottom  2009-01-09 15:26:35
-1 Spreading FUD rarely helps.
Maine  2009-09-17 16:06:06
@Maine, it's not FUD. Google umask 002 apache and take your pick.
Rob Wells  2009-09-17 16:38:00
@DavidWinterbottom, this has been policy since the mid-nineties for the site that I'm associated with. Thiird biggest website in the world btw.
Rob Wells  2009-09-17 16:43:21
Forgot to say, see also the book of "lock it down unless you really need it" security. Only explicitly allow what you want to allow.
Rob Wells  2009-09-17 16:53:02
@Rob - Using a umask of 002 will not be a problem unless the apache user's primary group contains untrusted users (which would be a terrible setup) or Apache is a member of a group with untrusted users /and/ is writing to a directory owned by that group with the setgid bit set.Further, the Apache way is the Unix way - to create files using the most permissive values, and let the local sysadmin determine appropriate permission restrictions using the umask.Ergo, this is misguided FUD.
dannysauer  2010-08-12 14:50:30
+3  A: 

Apache inherits its umask from its parent process (i.e. the process starting Apache); this should typically be the /etc/init.d script. So put a umask command in that script.

Martin v. Löwis  2009-01-09 17:52:11
+7  A: 

For CentOS and other Red Hat distros, add the umask setting to /etc/sysconfig/httpd and restart apache.

[root ~]$ echo "umask 002" >> /etc/sysconfig/httpd
[root ~]$ service httpd restart

More info: Apache2 umask | MDLog:/sysadmin

For Debian and Ubuntu systems, you would similarly edit /etc/apache2/envvars.

pwfisher  2009-08-22 04:34:10

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?