Mac OS X Server,  Mac Security

Apache2 & umasks

I’ve been noticing more and more people using Apache as a way of getting files to and from servers. Call me silly but I think we’re going to continue to see more and more of this. A really common issue that comes up with Apache2 is default permissions of new files.

Mac OS X is great with ACLs and whatnot. But Apache is built for posix. Posix is built on the foundation that the permissions of new files that are created come from umask. If you have a script that uploads a file then you can set the permissions as part of the script. But if you just pull it in you’re using Apache and the umask is applied giving the file or folder that Apache is handling a permission of the inverse of the umask (e.g. a umask of 002 results in 775 for the files, or 007 gives new files 770).

Apache has an environment variable for umask that is set in the envvars file. In a standard Linux installation of Apache this would be located in /etc/apache2/ or maybe /etc/sysconfig/httpd. But in Mac OS X the envvars file is stored in /usr/sbin/. To set the umask for new files, add a line of umask followed by the octal umask you want to set. Let’s set ours to 002:

umask 002

Each daemon can have its own umask, but it is worth knowing that most will have some way to change such behavior. Once you’ve made the change using envvars, restart Apache and test.