I am setting up a LAMP server and would like to set Apache's umask setting to 002 so that all Apache-created files have the group write permission bit set (so members of the same group can overwrite the files).
Does anyone know how to do this? I know that on Ubuntu, you can use the /etc/apache2/envvars file to configure the umask, but the server is running CentOS.
Update This question is related to another I asked a while ago (http://stackoverflow.com/questions/174715/linux-users-and-groups-for-a-lamp-server). If prefered, please update this other question with what the best set-up is to use for having a developer user on a server that can edit files created by the apache user.
-
Drifting away from the "tried and true Apache way" is usually not recommended. Lots of time and hard won experience has gone into the selection of such things.
DavidWinterbottom : Must have been asleep when that memo was passed around - any links for the tried and tested way?Maine : -1 Spreading FUD rarely helps.Rob Wells : @Maine, it's not FUD. Google umask 002 apache and take your pick.Rob Wells : @DavidWinterbottom, this has been policy since the mid-nineties for the site that I'm associated with. Thiird biggest website in the world btw.Rob Wells : Forgot to say, see also the book of "lock it down unless you really need it" security. Only explicitly allow what you want to allow.dannysauer : @Rob - Using a umask of 002 will not be a problem unless the apache user's primary group contains untrusted users (which would be a terrible setup) or Apache is a member of a group with untrusted users /and/ is writing to a directory owned by that group with the setgid bit set. Further, the Apache way is the Unix way - to create files using the most permissive values, and let the local sysadmin determine appropriate permission restrictions using the umask. Ergo, this is misguided FUD. -
Apache inherits its umask from its parent process (i.e. the process starting Apache); this should typically be the /etc/init.d script. So put a umask command in that script.
-
For CentOS and other Red Hat distros, add the umask setting to /etc/sysconfig/httpd and restart apache.
[root ~]$ echo "umask 002" >> /etc/sysconfig/httpd [root ~]$ service httpd restart
More info: Apache2 umask | MDLog:/sysadmin
For Debian and Ubuntu systems, you would similarly edit /etc/apache2/envvars.
0 comments:
Post a Comment