I need to set the umask value for one specific folder. I have a web application and when it creates some file the default permission is 700. But I need at least 755 permission for that file. How can one do that?
6 Answers
you could use setfacl
setfacl -d -m group:name:rwx /path/to/your/dirWhere name is the group name
To find which groups you or a specific user belong see In unix/linux how do you find out what group a given user is in via command line?
4You cannot set umask per directory, it's a process-level value. If you need to prevent others from reading files in a directory, revoke the corresponding permissions bits.
For example, if you've a directory /home/user/directory with some files and directories which can get permissions like 777 from a process, set the permission bits of /home/user/directory to something like 700. That will make it impossible for other users (excluding the superuser root) to descend in /home/user/directory.
I'm paranoid and set the permissions on /home/user to 750, so only I can read, write and descend in my home directory. This has as consequence that folders like /home/user/Public cannot be accessed by others, but I can live with that.
Per update of your question: still, you cannot control that in the filesystem (other than using a different filesystem type like FAT which is strongly discougared), you need to do that in your webapp. If your webapp is coded in PHP, you can change the umask on the fly using the umask function:
<?php
umask(0022);
// other code
?>You could put this in a configuration file, like the file containing the database connection password (thinking in apps like Wordpress).
Remember that it's a process value, some webservers allow you to set it in their configuration files, otherwise you could modify the startup scripts to set the desired umask. Remember that permissions like 755 and 644 are quite dangerous for webapps, if the code is sensitive, everyone can read it.
Provide anther solution implemented with shell hooks and direnv. The following solution may be more compatible in case setfacl is not available on your system. (e.g. macOS)
direnvis an environment switcher for the shell. It knows how to hook into bash, zsh, tcsh, fish shell and elvish to load or unload environment variables depending on the current directory.
Use .envrc to export custom umask value for specific dir, and the exported env var will be unloaded when you leave that dir.
# example .envrc file
export UMASK=0022Define a hook to change the umask value once working dir is changed.
function _umask_hook { if [[ -n $UMASK ]]; then umask "$UMASK" elif [[ $OSTYPE == darwin* ]]; then umask 0077 else umask 0022 fi
}
# To make the code more reliable on detecting the default umask
function _umask_hook { # Record the default umask value on the 1st run [[ -z $DEFAULT_UMASK ]] && export DEFAULT_UMASK="$(builtin umask)" if [[ -n $UMASK ]]; then umask "$UMASK" else umask "$DEFAULT_UMASK" fi
}
# zsh hooks
# trigger _umask_hook once working dir is changed
add-zsh-hook chpwd _umask_hook
# bash
# Append `;` if PROMPT_COMMAND is not empty
PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND;}_umask_hook"For the time being, direnv hook initialization for zsh doesn't support chpwd hook. If the pull request GH-514 has not been merged when you see this page. Please comment out eval "$(direnv hook zsh)" and hook direnv on chpwd manually with following code,
if (( $+commands[direnv] )) && ! (( $+functions[_direnv_hook] )); then _direnv_hook() { eval "$(command "direnv" export zsh)"; } typeset -agU precmd_functions; if [[ -z ${precmd_functions[(r)_direnv_hook]} ]]; then precmd_functions=( _direnv_hook ${precmd_functions[@]} ) fi typeset -agU chpwd_functions; if [[ -z ${chpwd_functions[(r)_direnv_hook]} ]]; then chpwd_functions=( _direnv_hook ${chpwd_functions[@]} ) fi
fiSource: dynamic-umask-based-on-cwd.md
Another solution might be to just set the group id on files created in the directory, which makes the new files owned by the directory group id, instead of the group id of the user that created the files. So I think you could just do:
chown www-data:www-data /my/folder
chmod 4755 /my/folder
This sets the setgid special file permission, which would cause all files created in /my/folder to be owned by the www-data group, which has then has rx (5) permission because of the parent directory.
To change permissions for a folder use chmod. umask is for files.
Set umask to what you need by
umask xxxand change back when your done
umask 022Related, but maybe not applicable in this case, the following clip is from .zshrc:
# Change the umask automatically for some directories; use 0022 as the default
chpwd () { case $PWD in $HOME/[Dd]ocuments*) if [[ $(umask) -ne 077 ]]; then umask 0077 echo -e "\033[01;32mumask: private \033[m" fi;; */[Ww]eb*) if [[ $(umask) -ne 072 ]]; then umask 0072 echo -e "\033[01;33mumask: other readable \033[m" fi;; /vol/nothing) if [[ $(umask) -ne 002 ]]; then umask 0002 echo -e "\033[01;35mumask: group writable \033[m" fi;; *) if [[ $(umask) -ne 022 ]]; then umask 0022 echo -e "\033[01;31mumask: world readable \033[m" fi;; esac
}So for interactive use, something like that would work (but, obviously, not to provide security).
