14

I'd really appreciate any help in tracking down and diagnosing an umask issue on Ubuntu:

I'm running php5-fpm with Apache via proxy_fcgi. The process is running with a umask of 0022 (confirmed by having PHP send the results of umask() into a file [the result is '18' == 0022]). I'd like to change this to 0002, but can't track down where the umask is coming from.

Apache is set with umask 0002, and as a test, if I disable proxy_fcgi and run my test above, I get a file with u+g having rw access (and the file contents confirm the umask as '2' == 0002).

If I sudo -iu fpmuser and run umask the results are 0002.

System info:

  • PHP: 5.5.3-1ubuntu2.1
  • Apache: 2.4.6
  • Ubuntu: 13.10
  • PHP-PFM is listing using TCP ports (as Unix ports aren't yet working/support)

So far I've tried the following (each followed by a system restart and a retest):

  • adding umask 0002 to the start of /etc/init.d/php5-fpm
  • adding --umask 0002 into the start-stop-daemon calls in /etc/init.d/php5-fpm
  • adding umask 0002 to .profile in the home of the fpm user

Something is clearly adjusting the umask of the php-fpm process - so, how can I begin tracing what is forcing the umask 0022 onto the php-fpm process?

EDIT (1):

  • adjusting the system wide umask via /etc/login.defs (see How to set system wide umask?) affects the umask elsewhere (e.g. comannds via sudo now have a umask of 0002), but still php-fpm creates files with a umask of 0022. Note that I verified that session optional pam_umask.so was also present in /etc/pam.d/common-session-noninteractive and I tested umasks of 002 and 0002.

EDIT (2):

  • I have been able to replicate the issue using nginx and php5-fpm (using unix sockets set to listen mode '0666').
  • I would love to trace where the umask is coming from but I'd settle for some way to force it to what I want.
  • I should add that the first test was done on an Amazon Ubuntu 13.10 image. My tests in 'edit 2' where completed using a copy of the Ubuntu13.10 server ISO setup from scratch in a virtual machine. All installations were completed via apt-get rather than by downloading the source and building.

EDIT (3):

  • I have confirmed I can manipulate the umask manually by either of the following (verified by checking the permissions on the test file created):

    a. In a shell, set a umask then run /usr/sbin/php-fpm from the shell

    b. In a shell, run the following with whatever umask value I like:

     start-stop-daemon --start --quiet --umask 0002 --pidfile /var/run/php5-fpm.pid --exec /usr/sbin/php5-fpm -- --daemonize --fpm-config /etc/php5/fpm/php-fpm.conf
    
  • However this exact same command in the /etc/init.d/php5-fpm file fails to adjust the umask when running sudo service php5-fpm stop; sudo service php5-fpm start or at reboot.

4

4 回答 4

16
于 2014-01-23T21:41:37.190 回答
10

If you use systemd, in the /etc/systemd/system directory, create a new directory called php7.2-fpm.service.d. The name of this directory will vary depending on your distro and PHP version. Run systemctl list-units --type=service | grep --ignore-case php to find out what to call it. Inside of this directory, place a file called umask.conf with the contents:

# /etc/systemd/system/php7.2-fpm.service.d/umask.conf
[Service]
UMask=0002

For the changes to take effect, run:

systemctl daemon-reload && systemctl restart php7.2-fpm

The benefit of this solution is that your customizations are not lost when packages get updated.

Explanation of how this works from the systemd manual:

Along with a unit file foo.service, a "drop-in" directory foo.service.d/ may exist. All files with the suffix ".conf" from this directory will be parsed after the file itself is parsed. This is useful to alter or add configuration settings for a unit, without having to modify unit files. Each drop-in file must have appropriate section headers. Note that for instantiated units, this logic will first look for the instance ".d/" subdirectory and read its ".conf" files, followed by the template ".d/" subdirectory and the ".conf" files there.

In addition to /etc/systemd/system, the drop-in ".d" directories for system services can be placed in /usr/lib/systemd/system or /run/systemd/system directories. Drop-in files in /etc take precedence over those in /run which in turn take precedence over those in /usr/lib. Drop-in files under any of these directories take precedence over unit files wherever located. Multiple drop-in files with different names are applied in lexicographic order, regardless of which of the directories they reside in.

于 2016-05-18T12:37:38.230 回答
2

better copy systemd script before editing php5-fpm.service or it will be overwritten on next update:

cp /lib/systemd/system/php5-fpm.service /etc/systemd/system/
vi /etc/systemd/system/php5-fpm.service
Add: UMask=0002 in [Service] section.
systemctl daemon-reload
systemctl restart php5-fpm

Source: https://ispire.me/running-php-fpm-with-different-user-group-using-umask/

于 2016-09-06T12:51:46.340 回答
0

okey, but this applies to all the pools. Would be handy to be able to set it with something like

env[umask] = 0002 (no chance for this to work)

been googling, but doesn't seem to be a way to do this on a per host basis.

于 2014-02-24T23:36:11.513 回答