Primarily to support my php configuration (as described in detail at http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers), which basically boils down to having two user and one group for ftp + php, and a separate set for the web server (apache in my case). So essentially: ftp:group php:group apache:apache php then runs as php:group, the user logs in via ftp (sftp) as ftp:group, and apache runs separate from that. The problem we've run into is that the default php umask is 022 and php itself provides no way to change that, reverting to the umask it was started with for each request. What happens now is that developers complain that whenever a file is created php-side they can't modify the file as ftp:group. Setting a umask of 02 fixes this. Currently I've modified the init script to just pass --umask=02 to start-stop-daemon, but having a more sensible way to set this would be preferred, eg, in conf.d/php-fpm PHP_UMASK=02 and then in init.d/php-fpm update the start-stop-daemon line to include --umask="${PHP_UMASK:-022}". Alternatively it may be better to create an SSD_UMASK option similar to SSD_NICELEVEL directly into start-stop-daemon that can be used generically for all services started by start-stop-daemon. Reproducible: Always
This should finally be fixed. There's a new conf.d file for the php-fpm init script, provided by eselect-php, in v0.9.2. Let me know if you have any problems! commit 69adbf61c9ba740acff8ae6bd7b577472a3d11b5 Author: Michael Orlitzky <mjo@gentoo.org> Date: Tue Jul 26 17:42:36 2016 -0400 app-eselect/eselect-php: new version 0.9.2 using bundled init scripts. This adds the current Gentoo init script (and its conf file) for php-fpm to a "doc" directory in the tarball, to be installed with newinitd and newconfd. In the process, bug 549172 was addressed by adding a new conf paramater, PHP_FPM_UMASK. Gentoo-Bug: 549172 Package-Manager: portage-2.2.28
