On 10/27/2016 02:27 PM, Alex wrote:
Hi,
>> I've actually already done these exact steps, and it doesn't work (on
>> fedora23). When you say you've tested it, do you mean you tested the
>> steps above, or you did something to confirm afterwards that its umask
>> is 0002?
>>
>> # cat /etc/systemd/system/httpd.service.d/override.conf
>> [Service]
>> UMask=0002
>> # systemctl restart httpd
>> # su - apache -s /bin/bash
>> -bash-4.3$ umask
>> 0022
>
> Alex, the change to the override.conf file affects ONLY the httpd
> _process_ started by systemd. It does NOT change the umask for the
> apache _user_ (which is what you tested).
>
> To only way to verify the change "took" is to have the httpd process
> create a file and check the mode of the file created.
Yes, thanks. I still need to test it for joomla through the apache
user, but as I mentioned in a previous email a few minutes ago, it
still appears to be 0022.
How is it set for the normal user? I've modified /etc/bashrc (and even
/etc/profile), and the apache user doesn't have a .bashrc or
.bash_profile, and it's still 0022.
Where did you set it? By default /etc/profile changes the umask for
interactive shells to 0002 under the following criteria:
if the user ID is > 199 AND
the EUID (by name) is the same as the EGID (by name)
Otherwise the umask is set to 0022. By default, /etc/bashrc does
precisely the same for _non-login_ bash shells.
Just to prove you can change the umask via /etc/profile:
[root@prophead ~]# su - apache -s /bin/bash -c "umask"
0022
[root@prophead ~]# echo "umask 0002" >>/etc/profile
[root@prophead ~]# su - apache -s /bin/bash -c "umask"
0002
Note that this affects ALL users' interactive shells, so delete that
line we just added from the end of /etc/profile as soon as possible
after you're satisfied it works.
I'd highly recommend you add code to both /etc/profile and /etc/bashrc
to selectively change the umask for the apache user (on my machine,
that's UID 48).
This is important because the "joomadmin" user will be
manipulating
these files via sFTP or scp.
I've also tried modifying the Subsystem variable to first set the
umask before running /usr/libexec/openssh/sftp-server, and the Windows
sFTP client they're using apparently can't handle this.
Uh, how? The /etc/ssh/sshd_config line should read:
Subsystem sftp /usr/libexec/openssh/sftp-server -u 0002
and you must restart sshd via "systemctl restart sshd.service" as
/etc/ssh/sshd_config is only read when sshd starts up.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks(a)alldigital.com -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
- -
- A day for firm decisions!!! Well, then again, maybe not! -
----------------------------------------------------------------------