Dealing With Dashcode, Part 2: Apache, WebDAV, and umasks
(This is a continuation of a previous post.)
At this point, I had set up a directory that I could publish to using WebDAV and also edit as my regular user id. Since WebDAV works as user www, my normal user id (piquan) wouldn't have access to edit them. So I needed to set up a directory using FreeBSD's ACLs to give write access to both me and www.
At this point, I had set up a directory that I could publish to using WebDAV and also edit as my regular user id. Since WebDAV works as user www, my normal user id (piquan) wouldn't have access to edit them. So I needed to set up a directory using FreeBSD's ACLs to give write access to both me and www.
$ mkdir serv
$ setfacl -m u:piquan:rwx,u:www:rwx piquan
$ setfacl -d -m u:piquan:rwx,u:www:rwx,u::rwx,g::rx,o::rx,mask::rwx serv
The problem is, when WebDAV created a directory, it created it with mode 755 (rwxr-xr-x). The problem is, if a program that's not aware of ACLs creates (or chmods) a file or directory, the ACLs mask bits get taken from the group access bits. In other words, the permissions that the program gives for the group restrict the permissions of any u:… or g:… entries in the ACLs. The r-x mask that WebDAV created my directory with masked my u:piquan:rwx ACL entry to an effective u:piquan:r-x. (Since www was the directory's owner, its u::rwx entry didn't get masked.)
In other words, I could no longer add, rename, or delete files from the directories that WebDAV created. I also couldn't edit the files, since they were created with mode 644.
After some investigation, I found that WebDAV creates files and directories based on the Apache process's umask.
On one hand, I could edit /usr/local/sbin/apachectl and /usr/local/etc/rc.d/apache22 to set the umask before launching Apache. However, I didn't like that idea, since then any Apache upgrades would blow away my changes. I wanted something a little more lasting.
Instead, I used – or rather abused – a mechanism in rc.d/apache22 that's designed for setting process limits. It includes a bit that runs some shell code and evaluates the output. I added to /etc/rc.conf:
In other words, I could no longer add, rename, or delete files from the directories that WebDAV created. I also couldn't edit the files, since they were created with mode 644.
After some investigation, I found that WebDAV creates files and directories based on the Apache process's umask.
On one hand, I could edit /usr/local/sbin/apachectl and /usr/local/etc/rc.d/apache22 to set the umask before launching Apache. However, I didn't like that idea, since then any Apache upgrades would blow away my changes. I wanted something a little more lasting.
Instead, I used – or rather abused – a mechanism in rc.d/apache22 that's designed for setting process limits. It includes a bit that runs some shell code and evaluates the output. I added to /etc/rc.conf:
apache22limits_enable=YES
apache22limits_args="echo umask 0002"
After that, I ran "sudo /usr/local/etc/rc.d/apache22 restart", sudo rm'd the files that WebDAV had created already, and published it again. This time, WebDAV created files I could edit. Mind you, after that, Dashcode couldn't delete the directory it had created to republish it, but that's for my next post.
Comments