Linux 设置Apache用户的umask
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/428416/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Setting the umask of the Apache user
提问by DavidWinterbottom
I am setting up a LAMP server and would like to set Apache's umask setting to 002 so that all Apache-created files have the group write permission bit set (so members of the same group can overwrite the files).
我正在设置 LAMP 服务器并希望将 Apache 的 umask 设置设置为 002,以便所有 Apache 创建的文件都设置了组写入权限位(因此同一组的成员可以覆盖文件)。
Does anyone know how to do this? I know that on Ubuntu, you can use the /etc/apache2/envvars file to configure the umask, but the server is running CentOS.
有谁知道如何做到这一点?我知道在 Ubuntu 上,您可以使用 /etc/apache2/envvars 文件来配置 umask,但服务器运行的是 CentOS。
UpdateThis question is related to another I asked a while ago (Linux users and groups for a LAMP server). If prefered, please update this other question with what the best set-up is to use for having a developer user on a server that can edit files created by the apache user.
更新这个问题与我刚才问的另一个问题有关(LAMP 服务器的 Linux 用户和组)。如果愿意,请使用最佳设置更新另一个问题,以便让开发人员用户在可以编辑 apache 用户创建的文件的服务器上使用。
采纳答案by Martin v. L?wis
Apache inherits its umaskfrom its parent process (i.e. the process starting Apache); this should typically be the /etc/init.d/script. So put a umaskcommand in that script.
Apacheumask从其父进程(即启动Apache 的进程)继承其;这通常应该是/etc/init.d/脚本。因此,umask在该脚本中放置一个命令。
回答by Rob Wells
Drifting away from the "tried and true Apache way" is usually not recommended. Lots of time and hard won experience has gone into the selection of such things.
通常不建议偏离“久经考验的真实 Apache 方式”。很多时间和来之不易的经验都用于选择这些东西。
回答by Patrick Fisher
For CentOS and other Red Hat distros, add the umask setting to /etc/sysconfig/httpd and restart apache.
对于 CentOS 和其他 Red Hat 发行版,将 umask 设置添加到 /etc/sysconfig/httpd 并重新启动 apache。
[root ~]$ echo "umask 002" >> /etc/sysconfig/httpd [root ~]$ service httpd restart
More info: Apache2 umask | MDLog:/sysadmin
更多信息:Apache2 umask | MDLog:/系统管理员
For Debian and Ubuntu systems, you would similarly edit /etc/apache2/envvars.
对于 Debian 和 Ubuntu 系统,您可以类似地编辑/etc/apache2/envvars.
回答by Ferenc Wágner
Adding a umaskcommandto /etc/apache2/envvarsdoes not seem like a good idea to me, not only because of the name of the file (mentioning variables only) but also based on this comment found in that file:
向我添加umask命令对/etc/apache2/envvars我来说似乎不是一个好主意,不仅因为文件名(仅提及变量),而且还基于在该文件中找到的以下评论:
# Since there is no sane way to get the parsed apache2 config in scripts, some
# settings are defined via environment variables and then used in apache2ctl,
# /etc/init.d/apache2, /etc/logrotate.d/apache2, etc.
This suggests that /etc/apache2/envvarsmight be sourced by any script doing Apache-related tasks, and changing the umask of those (unknown beforehand) scripts is rather dangerous.
这表明它/etc/apache2/envvars可能来自执行 Apache 相关任务的任何脚本,并且更改那些(事先未知的)脚本的 umask 是相当危险的。
On the other hand, in case the idea of changing the umask of Apache targets relaxing the permissions of files created by mod_dav, you should consider that the DAV repository is considered private to Apacheand letting other processes access those files may lead to various isses (including corruption).
在另一方面,如果改变Apache的目标放松创建的文件权限的umask的想法mod_dav,你应该考虑的DAV库被认为是私有的Apache,并让其他进程访问这些文件可能会导致各种isses(包括腐败)。
回答by AndreyP
For Ubuntu there is tool svnwrap
对于 Ubuntu,有工具svnwrap
- Install
sudo apt-get install subversion-tools - Wrap svn and svnserve with svnwrap:
sudo ln -s /usr/bin/svnwrap /usr/local/bin/svnsudo ln -s /usr/bin/svnwrap /usr/local/bin/svnserve
- 安装
sudo apt-get install subversion-tools - 用 svnwrap 包裹 svn 和 svnserve:
sudo ln -s /usr/bin/svnwrap /usr/local/bin/svnsudo ln -s /usr/bin/svnwrap /usr/local/bin/svnserve
After this all svn operations using file://, svn+ssh:// and http:// protocols will be done with umask 002
在此之后,所有使用 file://、svn+ssh:// 和 http:// 协议的 svn 操作都将使用 umask 002 完成
回答by Luoti
This was the first result in Google search results for "CentOS 7 apache umask", so I will share what I needed to do to get this work with CentOS 7.
这是“CentOS 7 apache umask”在 Google 搜索结果中的第一个结果,所以我将分享我需要做什么才能在 CentOS 7 上完成这项工作。
With CentOS 7 the echo "umask 002" >> /etc/sysconfig/httpd-method did not work for me.
在 CentOS 7 中,echo "umask 002" >> /etc/sysconfig/httpd-method 对我不起作用。
I did overwrite the systemd startup file by creating a folder /etc/systemd/system/httpd.service.dand there I created a file umask.confwith lines:
我确实通过创建一个文件夹覆盖了 systemd 启动文件,/etc/systemd/system/httpd.service.d并在那里创建了一个包含以下行的文件umask.conf:
[Service]
UMask=0007
Booted and it worked for me.
启动,它对我有用。
回答by Erik Liljencrantz
Adding to answer by Luoti / Spider Man for CentOS7: instead of "booting" after the change, these commands can be used:
在 CentOS7 上添加 Loti / Spider Man 的回答: 更改后可以使用这些命令,而不是“启动”:
systemctl daemon-reload
service httpd restart
回答by Francis
In Debian another place to set up the umask for Apache is /etc/default/apache2. Just this line at the end of this file : umask 0002
在 Debian 中,另一个为 Apache 设置 umask 的地方是 /etc/default/apache2。该文件末尾的这一行:umask 0002
回答by Brad
What you maywant to do is to instead set the groups sticky bit (SetGID) bit on the directory your CGI is working with:
您可能想要做的是SetGID在您的 CGI 正在使用的目录上设置组粘性位 ( ) 位:
chgrp mygroup dir
chmod g+s dir
chgrp mygroup dir
chmod g+s dir
Makesurewhen you do this that (user) apache is in the mygroupgroup (in /etc/group), so it will have permissions.
请确保当你做这一点,(用户)Apache是在mygroup组(中/etc/group),所以它拥有的权限。
This will make it so any file created under this directory will be owned by the same group as the directory.
这将使在此目录下创建的任何文件都由与该目录相同的组拥有。
This is a safer approach than setting a global umask for EVERY cgi script that apache may run.
这是比为 apache 可能运行的每个 cgi 脚本设置全局 umask 更安全的方法。
(This is how git-http-backendis typically run from Apache).
(这是git-http-backend通常从 Apache 运行的方式)。
