Setting Umask for Daemon Processes in Ubuntu: Best Practices and Implementation Methods


12 views

When running daemon processes like Yaws on Ubuntu, file permission management becomes crucial. The default umask (022) often creates files with restrictive permissions (644), preventing group members from modifying files created by the daemon. This is particularly problematic in shared hosting environments or when multiple users need to manage web content.

We'll explore several methods to configure umask for daemon processes:

  • Init script modification
  • PAM module configuration
  • Systemd service unit configuration
  • Wrapper script approach

The most straightforward approach is modifying the init script:

# Edit /etc/init.d/yaws
# Add this near the top after the shebang
umask 002

While effective, this method has maintenance drawbacks as init scripts might be overwritten during package updates.

For systems using PAM, configure /etc/pam.d/common-session:

session optional pam_umask.so umask=002

Alternatively, set per-user umask in /etc/passwd GECOS field:

yaws:x:1001:1001:umask=002:/var/lib/yaws:/bin/false

Note: This requires the pam_umask module to be installed.

For modern Ubuntu systems using systemd, create or edit the service unit:

# /etc/systemd/system/yaws.service.d/umask.conf
[Service]
UMask=0002

Then reload and restart:

sudo systemctl daemon-reload
sudo systemctl restart yaws

Create a wrapper script that sets the umask before launching the daemon:

#!/bin/sh
umask 002
exec /usr/sbin/yaws "$@"

Then modify your init system to use this wrapper instead of the direct binary.

Choose the method based on your environment:

  • Traditional init systems: Wrapper script approach
  • Systemd systems: Service unit override
  • Multi-user environments: PAM configuration
  • Temporary solutions: Init script modification

After implementation, verify with:

ps -ef | grep yaws
cat /proc/<PID>/status | grep Umask

Create a test file and check permissions:

ls -l /path/to/daemon/created/file

If umask doesn't apply:

  • Check if the process is dropping privileges
  • Verify no other umask settings override yours
  • Ensure the user's shell profile isn't setting umask
  • Check for application-specific umask settings

When running services like YAWS on Ubuntu (or any Linux system), file permissions become crucial for multi-user environments. The default umask of 022 often creates files with permissions 644 (rw-r--r--), preventing group members from modifying files created by the daemon.

The most straightforward approach is modifying the init script before the daemon launch:

# Edit /etc/init.d/yaws
# Add this near the top, before the daemon starts
umask 002

# Restart the service
sudo service yaws restart

While effective, this approach has maintenance drawbacks across multiple servers.

For system-wide control, configure pam_umask:

# Install pam_umask if not present
sudo apt-get install libpam-umask

# Edit /etc/pam.d/common-session
session optional pam_umask.so umask=002

For service-specific control, create a dedicated PAM config:

# /etc/pam.d/yaws
@include common-session
session required pam_umask.so umask=002

For Ubuntu 15.04+ using systemd:

# Create/edit /etc/systemd/system/yaws.service.d/umask.conf
[Service]
UMask=0002

# Reload and restart
sudo systemctl daemon-reload
sudo systemctl restart yaws

Create a launch wrapper that sets the umask:

#!/bin/sh
umask 002
exec /usr/sbin/yaws "$@"

Then modify your init script or systemd unit to use this wrapper instead of direct binary execution.

When using umask 002:

  • Ensure proper group ownership (chown :www-data /var/log/yaws)
  • Review directory permissions (2775 for setgid)
  • Limit group membership to trusted users
  • Consider filesystem ACLs for complex scenarios

Confirm the umask is applied:

# Check running process
ps -ef | grep yaws
# Examine /proc/[pid]/status | grep Umask

# Test file creation
sudo -u yaws touch /tmp/testfile
ls -l /tmp/testfile