3

I run apache as user www-data on Ubuntu 10_04 LTS. I've got /etc/apache2/envvar setup with 'umask 002' so that any new files/dirs created by the daemon have group write permissions enabled. At times, I need to create files/dirs from the command line so I do 'sudo -u www-data' commands, but I can't figure out how to get those to enable group write permissions on creation.

In /etc/passwd, Ubuntu's home directory is listed as '/var/www'. So, per the ubuntu documentation (https://help.ubuntu.com/community/EnvironmentVariables), I've tried adding "umask 002" to the following locations:

/var/www/.profile

/var/www/.bashrc

/var/www/.bash_profile

/var/www/bash_login

And the the global environment files:

/etc/environment

/etc/bash.bashrc

Even after adding "umask 002" to all those files and rebooting, running 'sudo -u www-data touch testfile' results in "-rw-r--r--" permissions. (I tried that with the www-data shell set to both /bin/sh and /bin/bash.)

Is there any way to setup so that 'sudo -u www-data' commands will create items with group write permissions enabled?

Community
  • 1
Alan W. Smith
  • 249
  • 1
  • 4
  • 10
  • As a note to future people who come across your question and, like me, were wondering why your approach doesn't work: `sudo -u www-data ` starts the *calling user's* shell as a *non-interactive non-login* shell as user www-data and has it execute ``, so – being non-interactive – in general no dotfiles get executed at all. (You can force `sudo` to start the shell as a login shell, which will then execute `.profile` among others, by using the option `-i`.) So that explains why adding `umask 002` to www-data's dotfiles doesn't work. – balu Mar 27 '16 at 23:48
  • …Moreover, `sudo` uses the calling user's umask (with certain restrictions, see the options `umask` and `umask_override` in `man sudoers` or the answer below), so that in general `` will be executed with that umask. (Again, you can change that by using sudo's `-i` option and setting a new umask in www-data's dotfiles.) – balu Mar 28 '16 at 00:07
  • It seems I was wrong. `sudo -u www-data ` won't start a new shell at all (unless options `-i` or `-s` are given). For instance, if it did, www-data's `.zshenv` should be executed upon `sudo -u www-data ` (provided the calling user uses zsh). This is because, as an exception to my statement above, `.zshenv` is sourced for every instance of zsh (no matter whether interactive/non-interactive, login/non-login). Here, however, it isn't. `sudo -u www-data ` simply runs `` as user www-data, by using `setuid()` to change the user of the child process it spawns. – balu Mar 28 '16 at 00:29

1 Answers1

2

Have you tried setting it via /etc/sudoers itself? As per sudoers(5):

   umask_override  If set, sudo will set the umask as specified by sudoers
                   without modification.  This makes it possible to
                   specify a more permissive umask in sudoers than the
                   user's own umask and matches historical behavior.  If
                   umask_override is not set, sudo will set the umask to
                   be the union of the user's umask and what is specified
                   in sudoers.  This flag is off by default.
khosrow
  • 4,163
  • 3
  • 27
  • 33
  • 1
    'umask_override' didn't do it, but setting a 'umask' option did. (That is, for username 'asmith' adding the line 'Defaults:asmith umask=0777' produced what I was looking for. Per the sudoers man page, setting umask to 0777 preserves the user's umask. Since I have 'umask 002' set in my ~/.bashrc file, I now get the behavior I'm looking for (i.e. group write permissions enabled for new files/dirs created with 'sudo -u www-data ...' commands. – Alan W. Smith Jun 01 '11 at 00:32
  • P.S. I'm marking this as the correct answer since you got me pointed to the right location and deserve the karma for it. My comment with the details should help folks see what I did, but if you want to update the block quote in your original answer to pull the 'umask' instead of 'umask_override' section, that might be helpful as well. – Alan W. Smith Jun 01 '11 at 00:37