How to enforce permissions on a Web directory?

Question

I maintain a Web directory:

drwxrwsr-x 2 hendry www-data 57344 Apr  1 21:02 foobar/

I thought I created a "sticky bit" (correct me please) there to ensure -rw-rw-r-- permissions of files in that directory, but it doesn't seem to work.

Sometimes files created in foobar/ can have the -rw-r--r-- permissions (missing write on www-data!). I think it's because some Web process writes the file with that permission. So instead of going into said Web application (assume I can't do this) and changing the umask, how do I ensure files to ALWAYS have -rw-rw-r-- ?

I want to ensure the httpd process can always operate on these files.

Answer 1

The setgid bit on a directory only ensures that the files created inside the directory are also owned by the group that owns the directory. It does not affect the permissions granted to the group (the middle three bits).

What you want is to override the default permission bits for files created inside the directory, i.e.:

setfacl -m default:user:www-data:rwx foobar/

The ACLs on foobar/ should look like this:

foobar% getfacl .
# file: .
# owner: www-data
# group: www-data
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:www-data:rwx
default:mask::rwx
default:other::r-x

And if you create a file with a restrictive umask...

foobar% umask
077
foobar% touch foo
foobar% ls -l
total 0
-rw-rw-r--+ 1 www-data www-data 0 Apr  2 11:18 foo

Notice that there's the + at the end of the first column, indicating that ACLs are present and you should use getfacl to see the full picture.

foobar% getfacl foo
# file: foo
# owner: www-data
# group: www-data
user::rw-
group::r-x                      #effective:r--
group:www-data:rwx              #effective:rw-
mask::rw-
other::r--