You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Scott Lamb <sl...@slamb.org> on 2002/07/08 01:51:25 UTC

umask and modules/dav/fs

I'd like to allow people to update a website either through their shell 
account or WebDAV. My problem is permissions. I can make a group 
"somewebsite" including users apache, bob, and charlie. Then I can make 
all the directories setgid. When bob and charlie make new files or 
directories, everything works out. When Apache does, there's a problem: 
the group write permission is disabled. bob and charlie can't modify the 
file.

I grepped through the source for umask and found this:

     ./modules/dav/fs/dbm.c:    /* ### do we need to deal with the umask? */
     ./modules/dav/fs/dbm.c:    /* ### do we need to deal with the umask? */
     ./modules/dav/fs/repos.c:    /* ### do we need to deal with the 
umask? */
     ./modules/dav/fs/repos.c:    /* ### do we need to deal with the 
umask? */

I think the answer is yes. In my situation, just setting the umask 
globally would work. Are there situations where it'd need to be set on a 
per-directory basis? I.e., is there need for a "DavUmask" directive that 
can be set in <directory> containers?

--
Scott Lamb

Thanks to whoever got me Slashdotted

Posted by Chris Taylor <ch...@phi-web.co.uk>.

Hi again.

Although this isn't perhaps appropriate for the list, I'd just like to thank
whoever forwarded my PS2-Apache announcement to Slashdot :)

This has raised the profile of the possibilities no end, and added some more
"cool factor" to Apache itself.

Read about it here:
http://apache.slashdot.org/apache/02/07/07/029241.shtml?tid=106 if you are
so inclined.

And now I'll let you get back to what it is you do best.

Thanks again.

Chris

chris@phi-web.co.uk - The guy with the PS2 Webserver :)

Re: umask and modules/dav/fs

Posted by Jeff Trawick <tr...@attglobal.net>.

Scott Lamb <sl...@slamb.org> writes:

> I'd like to allow people to update a website either through their
> shell account or WebDAV. My problem is permissions. I can make a group
> "somewebsite" including users apache, bob, and charlie. Then I can
> make all the directories setgid. When bob and charlie make new files
> or directories, everything works out. When Apache does, there's a
> problem: the group write permission is disabled. bob and charlie can't
> modify the file.
> 
> I grepped through the source for umask and found this:
> 
>      ./modules/dav/fs/dbm.c:    /* ### do we need to deal with the umask? */
>      ./modules/dav/fs/dbm.c:    /* ### do we need to deal with the umask? */
>      ./modules/dav/fs/repos.c:    /* ### do we need to deal with the
> umask? */
>      ./modules/dav/fs/repos.c:    /* ### do we need to deal with the
> umask? */
> 
> I think the answer is yes. In my situation, just setting the umask
> globally would work. Are there situations where it'd need to be set on
> a per-directory basis? I.e., is there need for a "DavUmask" directive
> that can be set in <directory> containers?

Perhaps I'm confused, but here goes:

umask only serves to turn off permission bits in the permissions
specified by the program...

mod_dav always specifies 0666 when creating files on Unix, which would
seem to give the admin a lot of leeway in playing with umask (set
umask to desired value in shell before starting Apache); that would
seem to satisfy your desire for a global umask setting...

is the g+s bit getting lost in directories created by Apache/Dav?

have you played with umask in the shell before starting Apache?

I'm unsure about whether a lost g+s bit or a bad umask is causing the
problem.

(I'm even unsure that I know what I'm talking about, but maybe this
will bring out some fresh ideas.)

-- 
Jeff Trawick | trawick@attglobal.net
Born in Roswell... married an alien...

Re: umask and modules/dav/fs

Posted by Greg Stein <gs...@lyra.org>.

On Sun, Jul 07, 2002 at 06:51:25PM -0500, Scott Lamb wrote:
> I'd like to allow people to update a website either through their shell 
> account or WebDAV. My problem is permissions. I can make a group 
> "somewebsite" including users apache, bob, and charlie. Then I can make 
> all the directories setgid. When bob and charlie make new files or 
> directories, everything works out.

mod_dav considers its repository to be private. You are not allowed to
provide access to that repository to users other than the Apache process.
Otherwise, you could end up with all kinds of permission problems, symlink
and hard link issues, corrupted locks and property databases, etc.

>...
> I think the answer is yes. In my situation, just setting the umask 
> globally would work.

Yup. As Jeff pointed out: just set the umask before starting Apache.

> Are there situations where it'd need to be set on a 
> per-directory basis? I.e., is there need for a "DavUmask" directive that 
> can be set in <directory> containers?

Considering that the design decision is that the repository is private, then
the answer is "no". As long as Apache can read/write the files and dirs,
then everything is fine.

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/