On 10/27/2016 02:27 PM, Alex wrote:
> Hi,
>
>
>>> I've actually already done these exact steps, and it doesn't work (on
>>> fedora23). When you say you've tested it, do you mean you tested the
>>> steps above, or you did something to confirm afterwards that its umask
>>> is 0002?
>>>
>>> # cat /etc/systemd/system/httpd.service.d/override.conf
>>> [Service]
>>> UMask=0002
>>> # systemctl restart httpd
>>> # su - apache -s /bin/bash
>>> -bash-4.3$ umask
>>> 0022
>>
>> Alex, the change to the override.conf file affects ONLY the httpd
>> _process_ started by systemd. It does NOT change the umask for the
>> apache _user_ (which is what you tested).
>>
>> To only way to verify the change "took" is to have the httpd process
>> create a file and check the mode of the file created.
>
> Yes, thanks. I still need to test it for joomla through the apache
> user, but as I mentioned in a previous email a few minutes ago, it
> still appears to be 0022.
>
> How is it set for the normal user? I've modified /etc/bashrc (and even
> /etc/profile), and the apache user doesn't have a .bashrc or
> .bash_profile, and it's still 0022.
Where did you set it? By default /etc/profile changes the umask for
interactive shells to 0002 under the following criteria:
if the user ID is > 199 AND
the EUID (by name) is the same as the EGID (by name)
Otherwise the umask is set to 0022. By default, /etc/bashrc does
precisely the same for _non-login_ bash shells.
Just to prove you can change the umask via /etc/profile:
[root@prophead ~]# su - apache -s /bin/bash -c "umask"
0022
[root@prophead ~]# echo "umask 0002" >>/etc/profile
[root@prophead ~]# su - apache -s /bin/bash -c "umask"
0002
Note that this affects ALL users' interactive shells, so delete that
line we just added from the end of /etc/profile as soon as possible
after you're satisfied it works.
I'd highly recommend you add code to both /etc/profile and /etc/bashrc
to selectively change the umask for the apache user (on my machine,
that's UID 48).
> This is important because the "joomadmin" user will be manipulating
> these files via sFTP or scp.
>
> I've also tried modifying the Subsystem variable to first set the
> umask before running /usr/libexec/openssh/sftp-server, and the Windows
> sFTP client they're using apparently can't handle this.
Uh, how? The /etc/ssh/sshd_config line should read:
Subsystem sftp /usr/libexec/openssh/sftp-server -u 0002
and you must restart sshd via "systemctl restart sshd.service" as
/etc/ssh/sshd_config is only read when sshd starts up.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ri...@alldigital.com -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
- -
- A day for firm decisions!!! Well, then again, maybe not! -
----------------------------------------------------------------------
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
