Home / server / Questions / 383734
Accepted
artfulrobot
Asked: 2012-04-28 00:36:09 +0800 CST

How do I set default umask in Apache on Debian?

  • 772

I need files created by apache2 to have umask 002, i.e. group rw, by default.

I've tried putting umask 002 in /etc/apache2/envvars and although this script does get executed as part of apache start up (apache2ctl graceful) the umask has no effect. Presumably somewhere further in the start up process (e.g. when the user is downgraded from root to www-data) there's somewhere better to put this.

I've read posts about Fedora and one suggesting putting umask in /etc/init.d/apache2 but neither of these apply/work in Debian (Squeeze).

Can you help?

apache-2.2 umask

3 Answers

  1. Best Answer

    To be sure that the umask setting takes effect please use a simple test and do not use any other web application for this. It might be the case that these application change the rights independently from the umask setting of Apache.

    Simple test PHP script:

    <?php
if ($fp = fopen(time() . '.txt', 'w')) {
  fwrite($fp, 'This is a simple test.');
  fclose($fp);
  echo "done";
} else {
  echo "error - cannot create file";
}
?>

    Take care that the user www-data has write access to the folder where you have installed this simple test file.

    To have the new umask running, check if the file /etc/apache2/envvars will be used within your Apache start file /etc/init.d/apache2 :

    ...
PIDFILE=$(. /etc/apache2/envvars && echo $APACHE_PID_FILE)
...

    Set your umask in /etc/apache2/envvars :

    ...
# umask 002 to create files with 0664 and folders with 0775
umask 002

    Restart your Apache :

    service apache2 restart

    Check the difference :

    #> ls -l *.txt
-rw-rw-r-- 1 www-data www-data  14 2012-05-01 15:56 1335880583.txt
-rw-r--r-- 1 www-data www-data  14 2012-05-01 15:55 1335880540.txt
    • 14

  2. If you run multiple sites you can set default group permission using Access Control Lists (ACL) per directory like so:

    Set setid flag to force all new files to inherit group from directory:

    # chmod g+s wordpress

    Make new files have rw for the group permissions, ex. so that www-data can write to files SFTPed by the upload user:

    # setfacl --default --modify group::rwx wordpress

    Confirm the ACL is like so:

    # getfacl wordpress
# file: wordpress
# owner: carissacosgrove
# group: www-data
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:other::r-x

    Create a file to confirm it worked:

    # ll test
-rw-rw-r-- 1 root www-data 0 Feb 17 01:09 test
    • 3

  3. (For Debian Stretch that uses systemd - Thanks womble!)

    Put UMask=0002 in the Apache2 systemd service unit file, reload the service unit, and then restart Apache2.

    $ pwd
/etc/systemd/system/multi-user.target.wants

$ cat apache2.service
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target

[Service].
.
.
.
UMask=0002

$ sudo systemctl daemon-reload
$ sudo systemctl restart apache2
    • 2