Hi, >>> To only way to verify the change "took" is to have the httpd process >>> create a file and check the mode of the file created. >> >> Yes, thanks. I still need to test it for joomla through the apache >> user, but as I mentioned in a previous email a few minutes ago, it >> still appears to be 0022. >> >> How is it set for the normal user? I've modified /etc/bashrc (and even >> /etc/profile), and the apache user doesn't have a .bashrc or >> .bash_profile, and it's still 0022. > > Where did you set it? By default /etc/profile changes the umask for > interactive shells to 0002 under the following criteria: > > if the user ID is > 199 AND > the EUID (by name) is the same as the EGID (by name) I misinterpreted that when I first read it. > Otherwise the umask is set to 0022. By default, /etc/bashrc does > precisely the same for _non-login_ bash shells. > > Just to prove you can change the umask via /etc/profile: > > [root@prophead ~]# su - apache -s /bin/bash -c "umask" > 0022 > [root@prophead ~]# echo "umask 0002" >>/etc/profile > [root@prophead ~]# su - apache -s /bin/bash -c "umask" > 0002 > > Note that this affects ALL users' interactive shells, so delete that > line we just added from the end of /etc/profile as soon as possible > after you're satisfied it works. > > I'd highly recommend you add code to both /etc/profile and /etc/bashrc > to selectively change the umask for the apache user (on my machine, > that's UID 48). This is what I've done now, and it works well, thanks. >> This is important because the "joomadmin" user will be manipulating >> these files via sFTP or scp. >> >> I've also tried modifying the Subsystem variable to first set the >> umask before running /usr/libexec/openssh/sftp-server, and the Windows >> sFTP client they're using apparently can't handle this. > > Uh, how? The /etc/ssh/sshd_config line should read: > > Subsystem sftp /usr/libexec/openssh/sftp-server -u 0002 > > and you must restart sshd via "systemctl restart sshd.service" as > /etc/ssh/sshd_config is only read when sshd starts up. I had set umask prior to spawning sftp-server, as in 'umask 0002; /usr/libexec/openssh/sftp-server'. This whole issue started with trying to figure out which is the preferred method for managing access to files by apache and a web admin. Many recommended suPHP, while others recommended other, more complicated modules like PHP-FPM. I was surprised there was no more comprehensive joomla or apache doc with recommended best practices or as part of their security documentation that described more clearly how best to secure the DocumentRoot while allowing remote access by other users. Meanwhile, a security vulnerability in apache leading to a shell means it then has complete write access to the site. Gordon Messmer wrote: > Assume that we don't know what your process is, and be specific > about how you're uploading new modules, please. I'm referring to the procedure typically used by joomla admins through the web-based admin interface included with joomla. It logs in as a system user then I believe uses sftp to upload files from the local desktop or somewhere on the joomla system. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx