2

On Rocky 8 (Redhat), I have a site running under Apache (httpd). I have the permissions set as follows including setguid so files created within the uploads folder inherit the group:

[root@myserver ~]# ls -la /var/www/vhosts/mysite.com/var/ total 104 drwxrwsr-x+ 6 mysiteowner webadmin 72 Jun 20 20:31 . drwxrwsr-x+ 4 mysiteowner webadmin 152 May 28 16:04 .. drwxrwsr-x+ 3 mysiteowner webadmin 4096 Jul 10 15:06 logs drwxrwsr--+ 2 mysiteowner webadmin 4096 Jul 10 15:23 uploads

However, when files are created in the uploads folder, the group permissions is set to read-only.

[root@myserver ~]# ls -la /var/www/vhosts/mysite.com/var/uploads/ drwxrwsr--+ 2 mysiteowner webadmin 4096 Jul 10 15:23 . drwxrwsr-x+ 6 mysiteowner webadmin 72 Jun 20 20:31 .. -rw-r--r--+ 1 apache webadmin 562 Jul 10 15:23 file10-07-24.csv -rw-r--r--+ 1 apache webadmin 562 Jul 9 15:09 file09-07-24.csv

These files are uploaded by users of mysite.com and processed by a script. The script is unable to process due to a permission denied message. If I change the owner of the files to mysiteowner replacing apache, the script works as expected.

If I set a default ACL for the user...

setfacl -d -m u:mysiteowner:rwX /var/www/vhosts/mysite.com/var/uploads/

...any new files in the uploads folder have rw but overridden by the effectively mask. The umask is 0022.

I was expecting the permissions of files in the uploads folder to be -rw-rw-r--+ inherited from the group webadmin. Any reason why this is happening?

After applying the ACL, why would the mysiteowner user effectively have r and not rw?

14 July 2024 Edited for clarity

To add more details, there is a PHP script which essentially executes the following wrapped in a try..catch :

$today = new DateTime(); $file = $form->get('file')->getData(); $fileName = $file->getFilename().$today->format('d-m-y'); $extension = $file->getClientOriginalExtension(); $newFileName = $fileName.'.'.$extension; $file->move($this->getParameter('upload_dir'), $newFileName);

upload_dir is a configuration setting stored in a YAML file and maps to /var/www/vhosts/mysite.com/var/ .

Improve this question
7
  • 1
    Why have you not adjusted the umask? Commented Jul 10, 2024 at 17:46
  • @J_H I didn't think this was possible as /etc/sysconfig/httpd doesn't exist on Rocky 8. Commented Jul 11, 2024 at 10:57
  • Well, somewhere a config line says “httpd”. Change it to your own httpd.sh script, which adjusts umask before doing “exec httpd”. Alternatively, “mv” httpd to httpd.real, create an httpd Bourne script, and we have the same sort of fix in place. Commented Jul 11, 2024 at 13:48
  • Can you edit your post to show us how the files in uploads get created? By some sort of script, or a CGI plug-in or something that you've incorporated into your Apache config? That patchpoint could be another location where you could set a proper umask, which would be specific to those files created in the uploads directory. Commented Jul 12, 2024 at 0:17
  • @JimL. I've added the part of the PHP script that uploads the file. This script is executed after a user clicks on the Upload button in the UI. Commented Jul 14, 2024 at 18:34

2 Answers 2

Reset to default
1

SETGID bit -- set-group-ID bit -- as the name says keeps the group id, not permissions. Change the apache umask to have proper permissions.

Improve this answer
0

In RHEL/Rocky 8.x, all system services have been changed from SysVinit scripts to systemd unit files, so changing the umask of httpd requires creating an override file for httpd.service:

Step 1: run systemctl edit httpd.service.

Step 2: when the editor starts, type in two lines:

[Service] Umask=0002

Then save the file. This will add the lines you wrote into /etc/systemd/system/httpd.service.d/override.conf and will tell systemd to reload the service definition.

Step 3: restart httpd with systemctl restart httpd.

Unless the configuration of Apache or PHP overrides the umask, the new umask should now be in effect for any newly uploaded files.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.