Thursday 7 March 2019

umasks: Ensuring httpd / apache is assigning the appropriate permissions on files / directories

I came across an issue the other day where the user httpd was running as was part of group that had been assigned permissions to the www root. Typically the user httpd runs under will be the owner of these files and directories and as a result will almost always have adequate permissions to read, write and execute. However in this case because it was part of a group instead the default umask setting of 022 was preventing the httpd user from writing to the files.

The umask can be worked out as follows - for example a umask of 002:

Directories: 777 - 002 = 775

Files: 666 - 002 = 664

i.e. the owner and group are able to read, write and execute directories and everyone else can only read and execute them. While the owner and group can write, write files and everyone else can only read them.

In order to apply these to httpd we can simply add the following line under the service stanza in /lib/systemd/system/httpd.service:

vim /lib/systemd/system/httpd.service

[Service]
...
UMask = 0002

and finally ensure httpd is restarted with:

sudo systemctl daemon-reload
sudo systemctl httpd restart

0 comments:

Post a Comment