umask for www-data user running PHP on Ubuntu

Question

Setting up a new webserver in Ubuntu 14.04 and trying to wrangle file permissions for PHP generated files.

By default, all the directories and files in /var/www are owned/grouped to www-admin. Directory permissions are rwxrwsr-x and file permissions are rw-rw-r--.

We then set the group on a limited number of directories to www-data - this is so that PHP (via Apache) can write log and cache files in this location.

However, I cannot get PHP to obey a umask of 0002, and so files generated by PHP are only writeable to the www-data user. This is a problem, since we use continuous integration, and some other cleanup processes.

So far, I have:

Set the umask to 0002 in /etc/pam.d/common-session
Set the umask to 0002 in /etc/pam.d/common-session-noninteractive
Set the umask to 0002 in /etc/profile
Set the umask to 0002 in /etc/apache2/envvars
Set the umask to 0002 in /etc/login.defs
Set the umask to 0002 for www-data in /etc/passwd using sudo chfn -o "umask=002" daemon_username

And I'm still stuck.

I've stopped/started the service, and even restarted the computer - no joy.

score 5 · Answer 1 · edited Apr 13 '17 at 12:14

5

"umask 002" in /etc/apache2/envvars should work.

Take notice that Apache must be restarted by "service apache2 stop; service apache2 start" for taking effect, not by "service apache2 restart"!

See here if you need an more detailed sample: https://serverfault.com/a/384922/228027

edited Apr 13 '17 at 12:14

Community

1

answered Aug 29 '14 at 06:23

user2743554

425

score 2 · Answer 2 · answered Feb 17 '16 at 06:11

If you run multiple sites you can set default group permission using Access Control Lists (ACL) per directory like so:

Set setid flag to force all new files to inherit group from directory:

root@sh1:/srv/www/php/fastwarren.ca# chmod g+s wordpress

Make new files have rw for the group permissions, ex. so that www-data can write to files SFTPed by the upload user:

root@sh1:/srv/www/php/fastwarren.ca# setfacl --default --modify group:rwx wordpress

Confirm the ACL is like so:

root@sh1:/srv/www/php/fastwarren.ca# getfacl wordpress
# file: wordpress
# owner: carissacosgrove
# group: www-data
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:other::r-x

Create a file to confirm it worked:

root@sh1:/srv/www/php/fastwarren.ca# ll test
-rw-rw-r-- 1 root www-data 0 Feb 17 01:09 test

score 2 · Answer 3 · edited Apr 03 '18 at 23:28

2

The problem is that the files are being created by PHP-FPM. It's the parent process -- not apache2. The only way I could fix this is by adding the umask to /etc/init/php7.1-fpm.conf. Then restart PHP-FPM.

Related thread: Nginx/php-fpm umask setting.

edited Apr 03 '18 at 23:28

Andrew Schulman

9,142

answered Apr 03 '18 at 21:00

Sean Ruiz

21

score 1 · Answer 4 · edited Apr 13 '17 at 12:14

1

This wasn't working for me either untill I realized the following: PDO SQLite driver plugin for Wordpress will create the database file with group read permission only.

Test you sanity by using the create script from here: How do I set default umask in Apache on Debian?.

edited Apr 13 '17 at 12:14

Community

1

answered Feb 17 '16 at 06:04

Daniel Sokolowski

939

score 0 · Answer 5 · answered Oct 16 '24 at 01:46

0

For Ubuntu, I think a better/easier way to add this is to create a file at /etc/systemd/system/php8.2-fpm.service.d/umask.conf, this means we just have to copy a file over instead of modifying system ones

[Service]
UMask=0002

answered Oct 16 '24 at 01:46

bilogic

154

umask for www-data user running PHP on Ubuntu

5 Answers5

Linked