How do I set default umask in Apache on Debian?
Solution 1:
To be sure that the umask setting takes effect please use a simple test and do not use any other web application for this. It might be the case that these application change the rights independently from the umask setting of Apache.
Simple test PHP script:
<?php
if ($fp = fopen(time() . '.txt', 'w')) {
fwrite($fp, 'This is a simple test.');
fclose($fp);
echo "done";
} else {
echo "error - cannot create file";
}
?>
Take care that the user www-data has write access to the folder where you have installed this simple test file.
To have the new umask running, check if the file /etc/apache2/envvars will be used within your Apache start file /etc/init.d/apache2 :
...
PIDFILE=$(. /etc/apache2/envvars && echo $APACHE_PID_FILE)
...
Set your umask in /etc/apache2/envvars :
...
# umask 002 to create files with 0664 and folders with 0775
umask 002
Restart your Apache :
service apache2 restart
Check the difference :
#> ls -l *.txt
-rw-rw-r-- 1 www-data www-data 14 2012-05-01 15:56 1335880583.txt
-rw-r--r-- 1 www-data www-data 14 2012-05-01 15:55 1335880540.txt
Solution 2:
If you run multiple sites you can set default group permission using Access Control Lists (ACL) per directory like so:
Set setid
flag to force all new files to inherit group from directory:
# chmod g+s wordpress
Make new files have rw
for the group permissions, ex. so that www-data
can write to files SFTPed by the upload user:
# setfacl --default --modify group::rwx wordpress
Confirm the ACL is like so:
# getfacl wordpress
# file: wordpress
# owner: carissacosgrove
# group: www-data
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:other::r-x
Create a file to confirm it worked:
# ll test
-rw-rw-r-- 1 root www-data 0 Feb 17 01:09 test
Solution 3:
(For Debian Stretch that uses systemd - Thanks womble!)
Put UMask=0002
in the Apache2 systemd service unit file, reload the service unit, and then restart Apache2.
$ pwd /etc/systemd/system/multi-user.target.wants $ cat apache2.service [Unit] Description=The Apache HTTP Server After=network.target remote-fs.target nss-lookup.target [Service]. . . . UMask=0002 $ sudo systemctl daemon-reload $ sudo systemctl restart apache2