FS#16796 - [apache] Add configuration option to set umask for the httpd process

Attached to Project: Arch Linux
Opened by Massimiliano Torromeo (mtorromeo) - Friday, 23 October 2009, 09:23 GMT
Last edited by Jan de Groot (JGC) - Saturday, 06 March 2010, 18:20 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Jan de Groot (JGC)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
In some cases it is needed to change the umask for the apache process, for example to allow write privileges to all users in the http group (umask 002)

This is possible in other distributions /etc/apache2/envvars in debian-based distros, /etc/sysconfig/httpd
in redhat-based distros.

I tried adding umask 002 in the init script or in /usr/sbin/envvars (which is sourced by httpd), but it didn't work.

Regards.
This task depends upon

Closed by  Jan de Groot (JGC)
Saturday, 06 March 2010, 18:20 GMT
Reason for closing:  Implemented
Additional comments about closing:  apachectl sources /etc/conf.d/apache now, so you can implement this yourself in that configuration file.
Comment by Andrea Scarpino (BaSh) - Friday, 23 October 2009, 17:44 GMT
I don't undestand your request.
When I start a new project I make a dir in /srv/http/ chowned by <user>:http. Then only my user and http group have write permission.
Comment by Massimiliano Torromeo (mtorromeo) - Friday, 23 October 2009, 18:02 GMT
Ok

Let's say the project path is /srv/http/proj owned by foo:http, permissions 755
Only foo has the rights to write in it.
So I chmod 775 to give apache the rights to write inside /srv/http/proj.
Let's say a script served by apache creates a new file /srv/http/proj/a.txt.
This file is going to be owned by http:http 644 (umask beeing 022), and foo cannot edit/delete it.
If foo was part of the http group and the umask was 002, then a.txt would be created with 664 permissions and foo could modify it.

This is done on other distros as described in the task details, but I don't know why it doesn't work on archlinux if I set umask in /usr/sbin/envvars (that seems to be the equivalent, although in an odd location).

Thanks for looking into this.
Comment by Massimiliano Torromeo (mtorromeo) - Friday, 23 October 2009, 18:04 GMT
Just a correction of the description, /usr/sbin/envvars is sourced by apachectl, not httpd
Comment by Jan de Groot (JGC) - Monday, 26 October 2009, 17:47 GMT
IMHO web scripts should never rely on umask settings, but should change the permissions itself. One exception is safe mode, where you can't do this, but safe mode is a dead road anyways, it's dead when PHP 6 is coming.
Comment by Massimiliano Torromeo (mtorromeo) - Wednesday, 28 October 2009, 09:08 GMT
Of course they shouldn't, but can I rely on my users to write good scripts? No. Can I be sure that all the (not written by me) libraries that I use take permissions into consideration? No.
Setting the umask is surely something I can rely on if I am the one in control of the server configuration.

Loading...