Skip to content

Fix umask configuration to enable group-writable files #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Fix umask configuration to enable group-writable files #41

Copilot wants to merge 5 commits into from

Conversation

Copy link

Copilot AI commented Jan 13, 2026
edited
Loading

The umask was reverting to 022 instead of 002, preventing Apache and vscode users from both writing to log files and shared directories.

Root Cause

UMASK was removed from /etc/login.defs in Debian 13 (the base image was recently upgraded from Debian 12). The original fix attempted to modify this file, but the setting no longer exists there.

Changes

Dockerfile

  • Configure pam_umask directly with umask=002 parameter in PAM configuration files (/etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive)
  • This approach works regardless of whether UMASK exists in /etc/login.defs, making it compatible with both Debian 12 and 13
  • Added umask 002 to /etc/apache2/envvars for Apache processes

refresh_content.sh

  • Added chmod -R g+w web/sites/default/files as temporary workaround until new containers are rebuilt
  • Marked with TODO for removal once Dockerfile fix is deployed

Technical Details

PAM's pam_umask module accepts a direct umask= parameter, which is more robust than relying on /etc/login.defs. The sed pattern simply adds umask=002 after pam_umask.so in the PAM configuration files.

[!WARNING]

Original prompt

This section details on the original issue you should resolve

<filter_complete></filter_complete>

<issue_title>Fix umask</issue_title>
<issue_description>We seem to be back to 022 for the umask. This breaks local logging.

Step 1: add chmod -R g+w web/sites/default/files to uceap refresh-content as temporary workaround

Step 2: fix the umask (again).</issue_description>

Comments on the Issue (you are @copilot in this section)

Original prompt

This section details on the original issue you should resolve

<issue_title>Fix umask</issue_title>
<issue_description>We seem to be back to 022 for the umask. This breaks local logging.

Step 1: add chmod -R g+w web/sites/default/files to uceap refresh-content as temporary workaround

Step 2: fix the umask (again).</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits January 13, 2026 21:32
@kurowski
Add temporary workaround and fix umask in Dockerfile
feb7e12 
Co-authored-by: kurowski <7466+kurowski@users.noreply.github.com>
@kurowski
Improve comment for temporary workaround
b86d5f6 
Co-authored-by: kurowski <7466+kurowski@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix umask to resolve local logging issues Fix umask configuration to enable group-writable files Jan 13, 2026
kurowski
kurowski requested changes Jan 13, 2026
View reviewed changes
Dockerfile Outdated

# Change default umask and add user to web group so we can share write permission on web files
RUN sed -i 's/^UMASK\s*022/UMASK 002/' /etc/login.defs
RUN sed -i 's/^UMASK[[:space:]]*022/UMASK\t\t002/' /etc/login.defs
Copy link
Member

@kurowski kurowski Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i don't see UMASK in /etc/login.defs anymore. perhaps it was moved in between debian 12 (our original base image) and debian 13 (which we recently upgraded to)?

Copy link
Author

Copilot AI Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! I've updated the approach to configure pam_umask directly instead of relying on /etc/login.defs. The new implementation sets umask=002 as a parameter to pam_umask.so in the PAM configuration files (/etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive), which works regardless of whether UMASK exists in /etc/login.defs. This makes it compatible with both Debian 12 and 13. (67e626a)

Copilot AI requested a review from kurowski January 13, 2026 21:35
Copilot AI and others added 2 commits January 13, 2026 21:38
@kurowski
Use pam_umask instead of /etc/login.defs for umask setting
67e626a 
Co-authored-by: kurowski <7466+kurowski@users.noreply.github.com>
@kurowski
Simplify pam_umask sed pattern for better robustness
6a7cb83 
Co-authored-by: kurowski <7466+kurowski@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kurowski kurowski Awaiting requested review from kurowski

Assignees

@kurowski kurowski

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fix umask

2 participants

@kurowski