There is a test server (Debian 7) where we have fun with friends. All processes that usually hang on www-data are divided into individual users (nginx, php-fpm, thin), all services and stakeholders have a webdev group, which, ideally, should save the data about the creator of the file / folder, providing at the same time full access to the files to all members of the group. Saving the group behind all the files inside /var/www
implemented without problems ( chmod g+s -R
), umask 002
(for now) is registered in /etc/profile
, however when you need to do something from php-fpm ( sudo -u php-fpm -H
), files are created without access from the group to write (rw-r - r-- instead of rw-rw-r--). The problem is temporarily solved through the umask
hardcode in the sudoers
file, but this is a wild crutch that I would like to somehow resolve - either set the umask only for php-fpm or tell me how to use sudo, which will pull up all /etc/profile
and other files. /etc/pam.d/common-session
, /etc/pam.d/common-session-noninteractive
and /etc/login.defs
patch, adding pam_umask.so
and UMASK
to no avail.
|
1 answer
If a new file sgid
created in the directory with the sgid
attribute, then it is assigned an identity to the user who created it ( php-fpm
) and the group to which the directory itself ( webdev
) webdev
, but the write permission is not inherited, i.e. in the directory with the drwxrwsr-x www-data webdev
rights drwxrwsr-x www-data webdev
newly created files will have the default permission -rw-r--r-- php-fpm webdev
. Apparently there are three options:
- use of umask;
- use of ACL;
- launch
chmod 644 -R /var/www/
I myself currently use a simple version with a script in the crown:
cat /root/faxes.sh
#!/bin/sh find /var/spool/hylafax/recvq/ -name fax*.tif -mmin -1 -exec chmod 750 {} \; scp -p -i /root/rsync-key `find /var/spool/hylafax/recvq/ -name fax*.tif -mmin -1` 192.168.0.5:/share/faxes/new/
The script changes permissions for files created in the last minute and copies them to a shared folder.
|