Home / server / Questions / 166176
Accepted
mp3foley
Asked: 2010-08-02 21:11:12 +0800 CST

Ways to set umask on Ubuntu for daemon processes

  • 772

I have an http daemon server process (yaws) that I would like to have server write any new files with a umask of 002, so that another user in the same group can modify, move, or delete files created by the daemon process. This is on Ubuntu 10.04.

Unlike Apache, yaws does not have a configuration option for umask, so what methods are there for setting the umask of any daemon process?

I found this answer about changing the init script to add umask 002. This did work, but I'm not sure editing the init script is the best way of making this easy to document and configure on multiple machines.

I also found reference to the pam_umask module here. It looks like this allows per user settings of the umask to be configured in the GECOS field of /etc/passwd.

Are there any other ways to set the umask for daemon processes? And what would be the recommended way?

ubuntu daemon umask yaws

3 Answers

  1. On Ubuntu 10.04 global default umask settings can be controlled with the pam_umask module.

    Some details were found on this blog related to Debian in general: http://muzso.hu/2008/01/22/default-permissions-with-libpam-umask

    The pam_umask module is installed by default on Ubuntu 10.04, but needs to be configured.

    Edit /etc/pam.d/common-session, adding the line:

    session optional pam_umask.so umask=022

    Then per user settings can be changed by running the command:

    sudo chfn -o "umask=002" daemon_username

    to add a umask setting to the GECOS field in /etc/passwd.

    This only works for non-interactive, non-login shells such as when a daemon startup script is run at boot.

    For login shells umask settings need to be removed from other shell configuration files such as /etc/profile, /etc/login.defs, or users home directory .profile, .bashrc, etc. Otherwise the pam_umask settings are overridden. See the pam_umask man page for the configuration order.

    • 5
  2. Best Answer

    Create a .profile file in the daemon's home directory:

    #!/bin/sh
umask 002

    You can find the daemon's home directory by running:

    getent passwd daemon | awk -F':' '{ print $6; }'

    If that doesn't work, the only other solution I can think of would be to edit the /etc/init.d script.

    • 2

  3. If the service is started via the tool "start-stop-daemon" the umask can be specified at command line level with the parameter "--umask" e.g:

    log_daemon_msg "Starting $DESC" "$NAME"
if start-stop-daemon --start --oknodo --exec $DAEMON -b --chuid motion --umask 002 ; then
        log_end_msg 0
    else
        log_end_msg 1
        RET=1
    fi

    Adjusting the start-script to read such details from an configuration file might be more transparent than adding user based settings - this of course depends on the startup procedure used for the daemon.

    More information can be retrieved from the man-Page: man start-stop-daemon

    • 1