Setting the umask of the Apache user

I am setting up a LAMP server and would like to set Apache's umask setting to 002 so that all Apache-created files have the group write permission bit set (so members of the same group can overwrite the files).

Does anyone know how to do this? I know that on Ubuntu, you can use the /etc/apache2/envvars file to configure the umask, but the server is running CentOS.

Update This question is related to another I asked a while ago (https://stackoverflow.com/questions/174715/linux-users-and-groups-for-a-lamp-server). If prefered, please update this other question with what the best set-up is to use for having a developer user on a server that can edit files created by the apache user.

For CentOS and other Red Hat distros, add the umask setting to /etc/sysconfig/httpd and restart apache.

[root ~]$ echo "umask 002" >> /etc/sysconfig/httpd
[root ~]$ service httpd restart

More info: http://www.ducea.com/2009/08/03/apache2-umask/">Apache2 umask | MDLog:/sysadmin

For Debian and Ubuntu systems, you would similarly edit /etc/apache2/envvars.

This was the first result in Google search results for "CentOS 7 apache umask", so I will share what I needed to do to get this work with CentOS 7.

With CentOS 7 the echo "umask 002" >> /etc/sysconfig/httpd -method did not work for me.

I did overwrite the systemd startup file by creating a folder /etc/systemd/system/httpd.service.d and there I created a file umask.conf with lines:

[Service]
UMask=0007

Booted and it worked for me.

Apache inherits its umask from its parent process (i.e. the process starting Apache); this should typically be the /etc/init.d/ script. So put a umask command in that script.

Adding a umask command to /etc/apache2/envvars does not seem like a good idea to me, not only because of the name of the file (mentioning variables only) but also based on this comment found in that file:

# Since there is no sane way to get the parsed apache2 config in scripts, some
# settings are defined via environment variables and then used in apache2ctl,
# /etc/init.d/apache2, /etc/logrotate.d/apache2, etc.

This suggests that /etc/apache2/envvars might be sourced by any script doing Apache-related tasks, and changing the umask of those (unknown beforehand) scripts is rather dangerous.

On the other hand, in case the idea of changing the umask of Apache targets relaxing the permissions of files created by mod_dav, you should consider that the DAV repository is considered private to Apache and letting other processes access those files may lead to various isses (including corruption).

Adding to answer by Luoti / Spider Man for CentOS7: instead of "booting" after the change, these commands can be used:

systemctl daemon-reload
service httpd restart

In Debian another place to set up the umask for Apache is /etc/default/apache2. Just this line at the end of this file : umask 0002

What you may want to do is to instead set the groups sticky bit (SetGID) bit on the directory your CGI is working with:

chmod g+s dir```

*Make* *sure* when you do this that (user) apache is in the `mygroup` group (in `/etc/group`), so it will have permissions.

This will make it so any file created under this directory will be owned by the same group as the directory. 

This is a safer approach than setting a global umask for EVERY cgi script that apache may run.

(This is how `git-http-backend` is typically run from Apache).

For Ubuntu there is tool svnwrap

1. Install sudo apt-get install subversion-tools
2. Wrap svn and svnserve with svnwrap:
   sudo ln -s /usr/bin/svnwrap /usr/local/bin/svn
sudo ln -s /usr/bin/svnwrap /usr/local/bin/svnserve

After this all svn operations using file://, svn+ssh:// and http:// protocols will be done with umask 002

Here it might be helpful.

Managing file permissions for rhel/centos

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/file-permissions-rhel8_configuring-basic-system-settings#displaying-the-umask_file-permissions-rhel8

# ls -lrt /etc/systemd/system/httpd.service.d/umask.conf
-rw-r--r-- 1 root root 21 Feb 25 10:19 /etc/systemd/system/httpd.service.d/umask.conf

# cat /etc/systemd/system/httpd.service.d/umask.conf
[Service]
UMask=0002

Luoti's answer work for me on CentOS7.

System boot or reboot is not required.

You may get this warning when you restart the service using command systemctl restart httpd

`Warning: httpd.service changed on disk. Run 'systemctl daemon-reload' to reload units`.

So first run systemctl daemon-reload command then systemctl restart httpd

Drifting away from the "tried and true Apache way" is usually not recommended. Lots of time and hard won experience has gone into the selection of such things.