How to set umask for a specific folder

you could use setfacl

setfacl -d -m group:name:rwx /path/to/your/dir

Where name is the group name

To find which groups you or a specific user belong see In unix/linux how do you find out what group a given user is in via command line?

You cannot set umask per directory, it's a process-level value. If you need to prevent others from reading files in a directory, revoke the corresponding permissions bits.

For example, if you've a directory /home/user/directory with some files and directories which can get permissions like 777 from a process, set the permission bits of /home/user/directory to something like 700. That will make it impossible for other users (excluding the superuser root) to descend in /home/user/directory.

I'm paranoid and set the permissions on /home/user to 750, so only I can read, write and descend in my home directory. This has as consequence that folders like /home/user/Public cannot be accessed by others, but I can live with that.

Per update of your question: still, you cannot control that in the filesystem (other than using a different filesystem type like FAT which is strongly discougared), you need to do that in your webapp. If your webapp is coded in PHP, you can change the umask on the fly using the umask function:

<?php
umask(0022);
// other code
?>

You could put this in a configuration file, like the file containing the database connection password (thinking in apps like Wordpress).

Remember that it's a process value, some webservers allow you to set it in their configuration files, otherwise you could modify the startup scripts to set the desired umask. Remember that permissions like 755 and 644 are quite dangerous for webapps, if the code is sensitive, everyone can read it.

Provide anther solution implemented with shell hooks and direnv. The following solution may be more compatible in case setfacl is not available on your system. (e.g. macOS)

direnv is an environment switcher for the shell. It knows how to hook into bash, zsh, tcsh, fish shell and elvish to load or unload environment variables depending on the current directory.

Use .envrc to export custom umask value for specific dir, and the exported env var will be unloaded when you leave that dir.

# example .envrc file
export UMASK=0022

Define a hook to change the umask value once working dir is changed.

function _umask_hook {
  if [[ -n $UMASK ]]; then
    umask "$UMASK"
  elif [[ $OSTYPE == darwin* ]]; then
    umask 0077
  else
    umask 0022
  fi
}

# To make the code more reliable on detecting the default umask
function _umask_hook {
  # Record the default umask value on the 1st run
  [[ -z $DEFAULT_UMASK ]] && export DEFAULT_UMASK="$(builtin umask)"

  if [[ -n $UMASK ]]; then
    umask "$UMASK"
  else
    umask "$DEFAULT_UMASK"
  fi
}

# zsh hooks
# trigger _umask_hook once working dir is changed
add-zsh-hook chpwd _umask_hook

# bash
# Append `;` if PROMPT_COMMAND is not empty
PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND;}_umask_hook"

For the time being, direnv hook initialization for zsh doesn't support chpwd hook. If the pull request GH-514 has not been merged when you see this page. Please comment out eval "$(direnv hook zsh)" and hook direnv on chpwd manually with following code,

if (( $+commands[direnv] )) && ! (( $+functions[_direnv_hook] )); then
  _direnv_hook() {
    eval "$(command "direnv" export zsh)";
  }
  typeset -agU precmd_functions;
  if [[ -z ${precmd_functions[(r)_direnv_hook]} ]]; then
    precmd_functions=( _direnv_hook ${precmd_functions[@]} )
  fi

  typeset -agU chpwd_functions;
  if [[ -z ${chpwd_functions[(r)_direnv_hook]} ]]; then
    chpwd_functions=( _direnv_hook ${chpwd_functions[@]} )
  fi
fi

Source: dynamic-umask-based-on-cwd.md

Another solution might be to just set the group id on files created in the directory, which makes the new files owned by the directory group id, instead of the group id of the user that created the files. So I think you could just do:

chown www-data:www-data /my/folder
chmod 2755 /my/folder

This sets the setgid special file permission, which would cause all files created in /my/folder to be owned by the www-data group, which has then has rx (5) permission because of the parent directory.

The special permission is defined in the first digit using octal notation. Add together the numbers below to combine options (e.g. 3 for both sgid and sticky bit)

• 1 for the sticky bit
• 2 for sgid
• 4 for suid

Reference: https://en.wikipedia.org/wiki/Setuid

To change permissions for a folder use chmod. umask is for files.

Set umask to what you need by

umask xxx

and change back when your done

umask 022

Related, but maybe not applicable in this case, the following clip is from .zshrc:

# Change the umask automatically for some directories; use 0022 as the default
chpwd () {
    case $PWD in
        $HOME/[Dd]ocuments*)
            if [[ $(umask) -ne 077 ]]; then
                umask 0077
                echo -e "\033[01;32mumask: private \033[m"
            fi;;
        */[Ww]eb*)
            if [[ $(umask) -ne 072 ]]; then
                umask 0072
                echo -e "\033[01;33mumask: other readable \033[m"
            fi;;
        /vol/nothing)
            if [[ $(umask) -ne 002 ]]; then
                umask 0002
                echo -e "\033[01;35mumask: group writable \033[m"
            fi;;
        *)
            if [[ $(umask) -ne 022 ]]; then
                umask 0022
                echo -e "\033[01;31mumask: world readable \033[m"
            fi;;
    esac
}

So for interactive use, something like that would work (but, obviously, not to provide security).