Hi Nate,
Thanks for the reply. No I hadn't thought to add anything to /etc/init.d/galaxy itself. It is a short enough script that I can paste it below. What would I need to do to edit it with umask settings?
Also I should note, changing the umask in the PAM files actually did change the default permissions for the galaxy user when I did an "su - galaxy" in a bash shell and then created or 'touch'-ed any files (which you could logically expect). But for some reason it didn't seem to make a difference with the directories created in that tmp/ directory even though the galaxy user was given ownership. That made me wonder if something was going on internal to Galaxy, or something else, that was overwriting/ignoring the system umask settings (which actually work fine in a shell environment as the user itself). Maybe I'll look into that ACL stuff Paul mentioned.
Here is my /etc/init.d/galaxy script:
------------------------
On Dec 4, 2012, at 10:52 AM, Josh Nielsen wrote:
> Hello all,
>
> I am having issues downloading HTML files from Galaxy the same as is described in this email chain:
>
> http://lists.bx.psu.edu/pipermail/galaxy-dev/2012-August/010965.html
>
> I am getting the error "(13)Permission denied: xsendfile: cannot open file: /basedir/galaxy_data/database/tmp/tmp8iEccn/library_download.zip" which is indeed a basic filesystem permissions issue. The problem is that the permissions created for that directory and every directory created in tmp/ look like this:
>
> drwx------+ 2 galaxy galaxy 3 Dec 4 09:23 tmp8iEccn
>
> And I have placed the Apache user in the galaxy group, but as you can see no group permissions ever get set by Galaxy on the directories that it creates (it is getting a 700 permissions setting).
>
> As Nate Coraor suggested in the message linked to above, I have tried altering the default umask but I ran into issues with getting non-existant results. I use "sudo service galaxy start" as the galaxy user each time to start the server and a "ps -ef | grep galaxy" confirms that Galaxy is running as the galaxy user. Since I use sudo though I changed the sudoers file to include:
>
> root ALL=(ALL) ALL
> galaxy ALL=(ALL) ALL
> Defaults umask_override
> Defaults umask = 0002
>
> This changed absolutely nothing. Then I started looking deeper into the PAM configuration and added a umask directive to /etc/pam.d/sudo (and also tried it in password-auth-ac and system-auth-ac) like this: "session optional pam_umask.so umask=0002". Still nothing changed in the permissions in tmp/ when I tried to download an HTML file: no group permissions were set. Then I dug deeper still and saw that sometimes if setting the mask in /etc/pam.d/ config files is not enough that you can try to set a system-wide mask in /etc/login.defs (following the suggestion here: http://stackoverflow.com/questions/10220531/how-to-set-system-wide-umask). Still no dice. I've pretty much exhausted my know-how in this department. Any other suggestions of how to fix this or where the correct place to set the umask is?
Hi Josh,
Thanks for doing such extensive tests. Have you tried setting the umask in the init script itself?
--nate
>
> Thanks,
> Josh Nielsen