Freshrss: permissions on configuration file

Hum, FreshRSS is not doing anything special with the rights. There is no chmod in this part of the code, so it should only depend on the system configuration.

You're right. I close the issue.

After some further investigations, I still can't figure out why the config file has special permissions.

I've changed the default umask of apache to set it to 007:

>grep umask /etc/apache2/envvars 
umask 007

When I create a basic file via php, the created file has the right permissions: 660

$myFile = "testFile.txt";
$fh = fopen($myFile, 'w') or die("can't open file");
$stringData = "Bobby Bopper\n";
fwrite($fh, $stringData);
$stringData = "Tracy Tanner\n";
fwrite($fh, $stringData);
fclose($fh);

-rw-rw---- 1 www-data www-data  26 mars  24 01:23 testFile.txt

But when I look at FreshRSS config file, it has not the right permissions, it has: 644

>ls -l FreshRSS-1.6.3/data/
total 44
drwxr-x--- 2 www-data www-data 4096 mars  11 10:36 cache
-rw-r----- 1 www-data www-data 4659 mars  11 10:36 config.default.php
-rw-r--r-- 1 www-data www-data  361 mars  24 01:15 config.php
drwxr-x--- 2 www-data www-data 4096 mars  11 10:36 favicons
-rw-r----- 1 www-data www-data   93 mars  11 10:36 force-https.default.txt
-rw-r----- 1 www-data www-data  309 mars  11 10:36 index.html
drwxr-x--- 4 www-data www-data 4096 mars  11 10:36 PubSubHubbub
-rw-r----- 1 www-data www-data 3262 mars  11 10:36 shares.php
drwxr-x--- 2 www-data www-data 4096 mars  11 10:36 tokens
drwxr-x--- 4 www-data www-data 4096 mars  24 01:15 users

I really can't figure out why does FreshRSS (or apache) does not take in account its umask when it creates the FreshRSS configuration file.

Any tought?

Could you please try with the file_put_contents() function?
Did you test with the Web installer, or the command-line?

I must have mistaken myself. In the directory where the config file is written, files have 644 permissions, with fwrite() or file_put_content() or with FreshRSS installer (I use the command line installer).

I'll have a deeper look at my install process, but there is nothing special about the installer, and no bug in it. I'm closing the issue.

Oups, I did it again.

In fact, there is a problem, something I don't understand...

I changed the umask to 037, my test scripts (which use fwrite() and file_put_content()) generate new files with 640 permissions (which is ok).

But FreshRSS generates a configuration whose permissions are 644 which should not normally happen.

How is FreshRSS doing to bypass my apache default umask?

Is it an install via the CLI or via the Web interface? Are your test scripts called the same way?

The install is made via the CLI. All my scripts are called either via an http call (for my test script) or via the CLI (for the FreshRSS install script).

In order to compare, you need to call your test script the same way (i.e. from command line).

Yes you're right, I understand why the strange behaviour happened.

When triggering the install via the CLI, I was launching the script without passing by the http server, it was a direct php execution:

freshrss/cli/create-user.php --user user --password 'passwd' \
    --api-password 'passwd' --language lang --email email \
    --token token

I was then triggering my test scripts via http, passing by the http server.

That's why my tests scripts were following the default umask of the http server, while the FreshRSS install - directly triggered - was not following it.

All is normal now, but I still have my original problem.

What umask is applied when triggering the install script directly?

• I can't set umask on the apache configuration as we just saw that apache was bypassed.
• I can't set umask on $HOME/.bashrc as bash is not executed when launching a php script via sudo or ansible

I don't have any idea to control the permission of the created file by do_install.php. Any idea?

You can try calling umask from the same shell that is calling the rest. Something like the following (not tested):

sudo -u www-data sh -c 'umask XXX ; ./cli/xxx.php'

It looks like a workaround more than like a real solution.

But the workaround actually works!

Thanks for the idea.

Do you have any idea why the following command:

umask 037 && {{ _freshrss.install_path }}/cli/create-user.php --user {{ _freshrss.end_user.login }} --password '{{ _freshrss.end_user.password }}' --api-password '{{ _freshrss.end_user.password }}' --language {{ _freshrss.locale }} --email {{ _freshrss.end_user.email }} --token {{ _freshrss.token }}

create the following permissions:

drwxr----- 2 www-data 4,0K mai    7 02:55 <user>

It should be rwxr-x---, don't you think?

drwxr-x--- 4 www-data 4,0K mai    7 02:55 <user>

The directory is missing the execute flag for the group so that the group can list files inside.

I always have to look-up the octal notation :-P Maybe you could give a try to the "human-readable" syntax https://www.computerhope.com/unix/uumask.htm

Ok, when I use umask u=rwx,g=rx,o=, it works well ... at last!

Thanks for your tips!

Unfortunately, I have to comment again this thread as I still do not understand something about my permissions.

With a default install, I still can find some file whose permissions are not correct:

find /path/to/freshrss/ -type f ! -perm 640 -ls
2852 36 -rw-r--r-- 1 www-data www-data 32894 mai 26 19:00 /path/to/freshrss/data/cache/d760a7e4788bb026eef972858602da32.spc
2849 24 -rw-r--r-- 1 www-data www-data 22231 mai 26 19:00 /path/to/freshrss/data/cache/cda36d28005263cc9615702edde54d35.spc
2853 4 -rw-r--r-- 1 www-data www-data 37 mai 19 12:00 /path/to/freshrss/data/favicons/d89a7900.txt
2850 4 -rw-r--r-- 1 www-data www-data 20 mai 19 12:00 /path/to/freshrss/data/favicons/fb42dc62.txt
2851 20 -rw-r--r-- 1 www-data www-data 18102 mai 19 12:00 /path/to/freshrss/data/favicons/fb42dc62.ico
2854 8 -rw-r--r-- 1 www-data www-data 6518 mai 19 12:00 /path/to/freshrss/data/favicons/d89a7900.ico

Permissions are 644 instead of 640, as default apache umask is 027.

Can you tell me when are these files created? Is it on install, on configure, or on first refresh time?

I reinstalled FreshRSS and it appears that this files are not created during the install process. It is the first cron job, that make FershRSS refresh and update all feeds, that create theses files.

Yes, the files under ./data/cache/ are created at refresh time. New ones will be created when adding new feeds, or if some feeds change address. Other subdirectories of ./data/ will receive new files in various different occasions, such as adding new users, a change of PubSubHubbub, a change of API password, etc.

There is at least three ways to run some FreshRSS code:

1. Via the Web interface
2. Via the cron job
3. Via the CLI

You need to make sure that each case is using the proper user.

As FreshRSS is not doing anything special with access rights, I still doubt there is anything to do in the code itself. What do you have in mind?

For instance, this is the line creating .txt files under ./data/favicons/

https://github.com/FreshRSS/FreshRSS/blob/0c066cb4285feb54cd9947c01dd759afdc0f37fb/app/Models/Feed.php#L155

It is a simple file_put_contents() function with nothing special about access rights.

Refresh is fired by a cronjob of www-data user. But this job does not pass through the apache httpd server:

>more /etc/cron.d/freshrss 
#Ansible: freshrss cron job
0 * * * * www-data php -f /home/user/apps/FreshRSS-1.10.0/app/actualize_script.php > /tmp/freshrss.log 2>&1

I have to check the default umask of user www-data to better understand what's going on.

The results of my tests are strange.

Here's what FreshRSS is generating:

-rw-r--r-- 1 www-data www-data 18102 mai   27 11:00 d899f81d.ico

Here is what I get while running a simple script via apache httpd server, and running the same script via sudo and php:

-rw-r----- 1 www-data www-data  14 mai   28 00:41 apache-written-file.txt
-rw------- 1 www-data www-data  14 mai   28 00:42 php-written-file.txt

Owner and group are ok, but no file has the permissions of the file created by FreshRSS: 640 and 600 instead of 644.

The php script is as simple as possible:

<?php

$file = "written-file.txt";
$data = "written-string";
file_put_contents($file, $data);
echo "string written";

?>

Running it with apache is a simple http get, and running it via sudo and php is a simple command line:

sudo -u www-data php -f create-file.php

I don't know how to check the default umask of the www-data user:

sudo -u www-data umask
sudo: umask: command not found

Am I missing something in my test? Maybe a specific sudo parameter about environment management.

I should maybe modify the cronjob to replace the php command by a wget or curl command. This would force the job to pass through the apache server, and hence to follow the apache php permissions.

Maybe https://stackoverflow.com/questions/22813873/linux-umask-for-sudo-and-apache

For cron / CLI, I would still go for my proposition from earlier https://github.com/FreshRSS/FreshRSS/issues/1460#issuecomment-299396040

I ended up with the solution that you were advising:

cronjob is starting by a umask command:

>more /etc/cron.d/freshrss 
#Ansible: freshrss cron job
0 * * * * www-data umask u=rwx,g=rx,o= && php -f /home/user/apps/FreshRSS-1.10.0/app/actualize_script.php > /tmp/freshrss.log 2>&1

Thanks for the advice!