Home / server / Questions / 624866
In Process
HorusKol
Asked: 2014-08-29 19:28:42 +0800 CST

umask for www-data user running PHP on Ubuntu

  • 772

Setting up a new webserver in Ubuntu 14.04 and trying to wrangle file permissions for PHP generated files.

By default, all the directories and files in /var/www are owned/grouped to www-admin. Directory permissions are rwxrwsr-x and file permissions are rw-rw-r--.

We then set the group on a limited number of directories to www-data - this is so that PHP (via Apache) can write log and cache files in this location.

However, I cannot get PHP to obey a umask of 0002, and so files generated by PHP are only writeable to the www-data user. This is a problem, since we use continuous integration, and some other cleanup processes.

So far, I have:

  • Set the umask to 0002 in /etc/pam.d/common-session
  • Set the umask to 0002 in /etc/pam.d/common-session-noninteractive
  • Set the umask to 0002 in /etc/profile
  • Set the umask to 0002 in /etc/apache2/envvars
  • Set the umask to 0002 in /etc/login.defs
  • Set the umask to 0002 for www-data in /etc/passwd using sudo chfn -o "umask=002" daemon_username

And I'm still stuck.

I've stopped/started the service, and even restarted the computer - no joy.

php

4 Answers

  1. "umask 002" in /etc/apache2/envvars should work.

    Take notice that Apache must be restarted by "service apache2 stop; service apache2 start" for taking effect, not by "service apache2 restart"!

    See here if you need an more detailed sample: https://serverfault.com/a/384922/228027

    • 4

  2. If you run multiple sites you can set default group permission using Access Control Lists (ACL) per directory like so:

    Set setid flag to force all new files to inherit group from directory:

    root@sh1:/srv/www/php/fastwarren.ca# chmod g+s wordpress

    Make new files have rw for the group permissions, ex. so that www-data can write to files SFTPed by the upload user:

    root@sh1:/srv/www/php/fastwarren.ca# setfacl --default --modify group:rwx wordpress

    Confirm the ACL is like so:

    root@sh1:/srv/www/php/fastwarren.ca# getfacl wordpress
# file: wordpress
# owner: carissacosgrove
# group: www-data
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:other::r-x

    Create a file to confirm it worked:

    root@sh1:/srv/www/php/fastwarren.ca# ll test
-rw-rw-r-- 1 root www-data 0 Feb 17 01:09 test
    • 2

  3. The problem is that the files are being created by PHP-FPM. It's the parent process -- not apache2. The only way I could fix this is by adding the umask to /etc/init/php7.1-fpm.conf. Then restart PHP-FPM.

    Related thread: Nginx/php-fpm umask setting.

    • 2

  4. This wasn't working for me either untill I realized the following: PDO SQLite driver plugin for Wordpress will create the database file with group read permission only.

    Test you sanity by using the create script from here: How do I set default umask in Apache on Debian?.

    • 1