vanutsteen.nl

What I'm about to explain is dangerous. It opens up your server and services for hackers. It's not as if everybody can login. But it makes it more vulnerable.

Why explain it then? Well here's the case: we have a couple developers working on the same server. Usually everybody has it's own projects to work on. But now and then people work together on projects. And then you have to access eachother's files. To make that possible you have to open up the umask settings for different servies. In this example I talk about:

• vsftpd;
• apache2;
• samba; 

VSFTPD

This was the easiest one. Vsftpd has an option to configure the umask settings. It is called: local_umask. Is set that to 002. Because then (all our developers are in the same group) the users in a group can modify eachothers files. Anyone else can not. Maybe I even had tot set it to 000 (or 111) because then apache can access and modify the files. But that's even more dangerous...

Apache 2

For modify'ing apache's umask I had to search further. Apache's umask can be changed by calling the "umask" command. I incorperated it into the apache2 startup script. The start now looks like:

#!/bin/bash -e
#
# apache2               This init.d script is used to start apache2.
#                       It basically just calls apache2ctl.

ENV="env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin"

#edit /etc/default/apache2 to change this.
NO_START=0

umask 111

 Samba

For samba I added this to my share:

        create mask = 0777
        directory mask = 0777
        force create mode = 0777
        force directory mode = 0777

Conclusion

I wouldn't recommend this to anyone else. But I had no other choice. I could create some additional groups and try to make that work. But I'm lazy and did it this way. If anyone has a better idea to do this: please contact me! 

Extra, extra

Do not use umask 111. Why not? Because when directories are created they can not be entered. The execute-bit for directories is used for that. So use 000. Much better...