1

I've been battling with umask/permission problems for a while now in various cases. I have set www-data (run by nginx/php-fpm) to have a umask of 002 in the /etc/init/php-fpm.conf file, and my deployer user also has umask of 002 in /home/deployer/.bashrc. The application files all have the 0660 permissions (0770 for directories) so that they both can read/write them (the deployer's main group is www-data). However I keep running into cases where this umask is not getting honored, and files are set to 644 or 640.

My current case is when SSHing in as root using an ansible script, with the options of:

sudo: yes
sudo_user: deployer

Files created with ansible are getting file permissions of 644. How do I see where umask is getting set, and where to add the umask?

Secondly is there not a better way to do deployment? I would like to just avoid this issue completely and do all deployment work as the www-data user, but apparently that's a security issue. This umask stuff is really complicated deployment.

Thank you.

timetofly
  • 2,957
  • 6
  • 36
  • 76
  • I'm curious if you ever found a solution to this (2 years later). I am having the same issue, and tried the only suggestion posted below but it did not work for me either. – fronzee Feb 15 '17 at 20:13

2 Answers2

0

Probably depends on what flavor of Unix, but the page for sshd for HP-UX says that when a user successfully logs in via SSH, one of the steps is:

 Reads the file ~/.ssh/environment, if it exists, and users are
 allowed to change their environment.  See the
 PermitUserEnvironment option in sshd_config(5).

So you may want to try to create a file /home/deployer/.ssh/environment and set the umask there too.

This doesn't probably apply to your situation, but for SFTP, you can have a system-wide setting for files transferred via sftp by including the command

SftpUmask 002

in the file /opt/ssh/etc/sshd_config or whatever your man page for sshd_config says.

Mark Stewart
  • 2,046
  • 4
  • 22
  • 32
  • 1
    Hi, I am using Ubuntu 14.04. Creating and adding the umask to the environment file for both root and deployer users, didn't change anything =\. Sftp doesn't apply in my case. – timetofly Oct 29 '14 at 16:48
0

I was able to get a default umask working with deployer, on Ubuntu Server 16.04, by following this page. In short, you need to edit /etc/pam.d/common-session and make sure there is a line that says session optional pam_umask.so umask=022 (or whatever umask you want). This will set a default umask for all connections, regardless of whether they are interactive or not.

DISCLAIMER: This may have ramifications system-wide for all users. I have not tested this solution extensively.

fronzee
  • 1,668
  • 2
  • 21
  • 32