You are here: Foswiki>Tasks Web>Item9935 (05 Jul 2015, GeorgeClark)Edit Attach

Item9935: Detect and resolve umask issues in Foswiki core

Priority: Enhancement
Current State: Closed
Released In: 2.0.0
Target Release: major
Applies To: Engine
Component: Core
Branches: Release01x01 trunk
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark
A number of extensions that touch the file system also modify the umask, often failing to restore the default.

  • Add umask to the displayed environment variables in configure
  • Add a new expert RCS variable - {RCS}{overrideUmask} default of false.
  • Add a new config checker that will set an error if the default umask would block the configured file and directory permissions from being applied.
  • Add conditional code to Foswiki::Engine that will override the umask to oct(777) - ($Foswiki::cfg{RCS}{dirPermission}|$Foswiki::cfg{RCS}{filePermission}) when overrideUmask is enabled.

Other cleanup:

  • should use chmod rather than setting the umask
  • Engine::FastCGI should not set umask to zero.
  • umask override could also be removed from store

Note: Configure establishes the Foswiki environment, and causes the BEGIN block to run, which will correct the umask, masking it from the Checker. Once overrideUmask is enabled, the Checker will no longer have access to the original umask. however the configure "Web Server Environment" appears to be processed early enough that it will show the unmodified umask.

-- GeorgeClark - 01 Nov 2010

We keep on adding more and more configuration settings to configure and more and more expert settings.

That concerns me.

What is it we are fixing that is broken here and that needs a configure setting?

And how are normal admins ever going to understand how to set those expert settings?

-- KennethLavrsen - 01 Nov 2010

Nobody will see this unless their system is broken. We've found 5 extensions that set umask without restoring it - probably because the've run into systems with broken umask. This attempts to address it only when the system is detected as broken.

The problem is that systems continue to create files that are then not readable by Apache. And extensions that just do "umask(0002)" are not implemented properly. Store, HeadlinesPlugin, GaugePlugin, EasyTimelinePlugin, BarcodePlugin, DirectedGraphPlugin, have all added umask to deal with the issues. None of them restore it. But Core isn't much better, X509UserPlugin and HtPasswordUser both change it to 077 without restoring it. And Store VC/ also sets umask.

So this patch
  • Attempts to determine if the system default umask will work with the configured permissions.
  • Warn if it doesn't and override it in only one place.

And hopefully we can clean up all of the other umask setting. Though it may take a while until 1.0.x compatibility doesn't require it.

-- GeorgeClark - 02 Nov 2010

The below screenshots show what happens on a server configured with suexec - the system umask has been forced to 077. The admin will see the following error under the Store settings, exposed even if expert settings are not enabled.

This still needs some testing on windows, but I'd like to consider this for 1.1.2, without changes to Store and extensions. This will make it easier to begin to remove the umask setting from extensions.

-- GeorgeClark - 02 Nov 2010

Seems OK.

I first feared that people had to put a umask value in a field. I would suggest you go ahead with this.

-- KennethLavrsen - 03 Nov 2010

Hi George, I'm able to break things with this change smile

  • Set dirPermission to 0775
  • Set filePermission to 0664
  • System umask is 022
  • Enable "OverrideUmask"

Then I get an error on my server env page:
Argument "53?" isn't numeric in subtraction (-) at /usr/local/src/ line 70.
BEGIN failed--compilation aborted at /usr/local/src/ line 570.
Compilation failed in require at (eval 1009) line 3.

The checker seems fine; when I fix my apache to run with the proper umask the warning goes away.

-- PaulHarvey - 05 Nov 2010

Fixed - Needed to add 0 to variables in a bitwise OR to force them to be interpreted as numerics instead of character strings. Left debug messages in place in the event that additional issues occur.

Leaving this open until debug messages removed.

-- GeorgeClark - 06 Nov 2010

For 1.1.3, I've checked in just the display of UMASK in the Web Server Environment tab of Configure. Nothing else here planned for 1.1.3.

-- GeorgeClark - 18 Mar 2011
Topic revision: r19 - 05 Jul 2015, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy