umask for www-data user running PHP on Ubuntu
Solution 1
"umask 002" in /etc/apache2/envvars should work.
Take notice that Apache must be restarted by "service apache2 stop; service apache2 start" for taking effect, not by "service apache2 restart"!
See here if you need an more detailed sample: https://serverfault.com/a/384922/228027
Solution 2
The problem is that the files are being created by PHP-FPM. It's the parent process -- not apache2. The only way I could fix this is by adding the umask to /etc/init/php7.1-fpm.conf. Then restart PHP-FPM.
Related thread: Nginx/php-fpm umask setting.
Solution 3
If you run multiple sites you can set default group permission using Access Control Lists (ACL) per directory like so:
Set setid flag to force all new files to inherit group from directory:
root@sh1:/srv/www/php/fastwarren.ca# chmod g+s wordpress
Make new files have rw for the group permissions, ex. so that www-data can write to files SFTPed by the upload user:
root@sh1:/srv/www/php/fastwarren.ca# setfacl --default --modify group:rwx wordpress
Confirm the ACL is like so:
root@sh1:/srv/www/php/fastwarren.ca# getfacl wordpress
# file: wordpress
# owner: carissacosgrove
# group: www-data
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:other::r-x
Create a file to confirm it worked:
root@sh1:/srv/www/php/fastwarren.ca# ll test
-rw-rw-r-- 1 root www-data 0 Feb 17 01:09 test
Solution 4
This wasn't working for me either untill I realized the following: PDO SQLite driver plugin for Wordpress will create the database file with group read permission only.
Test you sanity by using the create script from here: How do I set default umask in Apache on Debian?.
Related videos on Youtube
07 : 21
03 : 13
03 : 00
01 : 54
07 : 25
HorusKol
Updated on September 18, 2022Comments
-
HorusKol over 1 year
Setting up a new webserver in Ubuntu 14.04 and trying to wrangle file permissions for PHP generated files.
By default, all the directories and files in
/var/wwware owned/grouped to www-admin. Directory permissions arerwxrwsr-xand file permissions arerw-rw-r--.We then set the group on a limited number of directories to www-data - this is so that PHP (via Apache) can write log and cache files in this location.
However, I cannot get PHP to obey a umask of
0002, and so files generated by PHP are only writeable to the www-data user. This is a problem, since we use continuous integration, and some other cleanup processes.So far, I have:
- Set the umask to 0002 in
/etc/pam.d/common-session - Set the umask to 0002 in
/etc/pam.d/common-session-noninteractive - Set the umask to 0002 in
/etc/profile - Set the umask to 0002 in
/etc/apache2/envvars - Set the umask to 0002 in
/etc/login.defs - Set the umask to 0002 for
www-datain/etc/passwdusingsudo chfn -o "umask=002" daemon_username
And I'm still stuck.
I've stopped/started the service, and even restarted the computer - no joy.
- Set the umask to 0002 in
-
elmo over 9 yearsGiven the Ubuntu 14.04 /etc/init.d/apache2, how does "service apache2 stop; service apache2 start" differ from "service apache2 restart"?
-
user2743554 over 9 yearsdo_start in restart may be skipped depending on do_stop result.
-
elmo over 9 yearsYeah, except in those situation you get an error and an exit. Hence, I really see no scenario where "service apache2 restart" can succeed, while still surprise you with the change not taking effect.
-
HorusKol over 9 yearsWell, all of those changes "should" work according to the sources I got them from - I'm asking the question because it didn't - and I pretty much always do a complete stop and start instead of restart these days.
-
HorusKol over 9 years@andol - i've had restarts silently fail with some mis-configurations (particularly SSL stuff that don't get picked up with a configtest).
