There is a test server (Debian 7) where we have fun with friends. All processes that usually hang on www-data are divided into individual users (nginx, php-fpm, thin), all services and stakeholders have a webdev group, which, ideally, should save the data about the creator of the file / folder, providing at the same time full access to the files to all members of the group. Saving the group behind all the files inside /var/www implemented without problems ( chmod g+s -R ), umask 002 (for now) is registered in /etc/profile , however when you need to do something from php-fpm ( sudo -u php-fpm -H ), files are created without access from the group to write (rw-r - r-- instead of rw-rw-r--). The problem is temporarily solved through the umask hardcode in the sudoers file, but this is a wild crutch that I would like to somehow resolve - either set the umask only for php-fpm or tell me how to use sudo, which will pull up all /etc/profile and other files. /etc/pam.d/common-session , /etc/pam.d/common-session-noninteractive and /etc/login.defs patch, adding pam_umask.so and UMASK to no avail.

    1 answer 1

    If a new file sgid created in the directory with the sgid attribute, then it is assigned an identity to the user who created it ( php-fpm ) and the group to which the directory itself ( webdev ) webdev , but the write permission is not inherited, i.e. in the directory with the drwxrwsr-x www-data webdev rights drwxrwsr-x www-data webdev newly created files will have the default permission -rw-r--r-- php-fpm webdev . Apparently there are three options:

    • use of umask;
    • use of ACL;
    • launch chmod 644 -R /var/www/

    I myself currently use a simple version with a script in the crown:

    cat /root/faxes.sh

     #!/bin/sh find /var/spool/hylafax/recvq/ -name fax*.tif -mmin -1 -exec chmod 750 {} \; scp -p -i /root/rsync-key `find /var/spool/hylafax/recvq/ -name fax*.tif -mmin -1` 192.168.0.5:/share/faxes/new/ 

    The script changes permissions for files created in the last minute and copies them to a shared folder.