Setting umask for Nginx or Caddy server

Hi everyone,

I am struggling with an issue for quite some time. The ultimate goal is accessing my datasets remotely over Nextcloud as well as locally over SMB.

My system:

  • TrueNAS based on FreeBSD 12.2
  • Nextcloud running in a Caddy server (I’d be open to Nginx server, these two options can be deployed with very low effort)
  • User datasets mounted over fstab entries in FreeBSD jail running Nextcloud
  • Small home NAS with a hand full of users, all part of group “home”

My issue:

  • Integrating datasets from /mnt/… with external storage work fine.
  • I managed to change the primary group of www to my home group. So the owner of newly created data is www:home, which is already a big step to my goal.
  • But, the new files and folders have 644 permissions, 755 respectively for folders.
  • Meaning that data uploaded to or created in Nextcloud has read-only permissions when accessed over SMB by user1:home.
  • A nightly cronjob resets all permissions to 770, sometimes I do it manually if I need to edit data asap, which is quite often.

The main reason I really want direct SMB shares on my datasets are the powerful zfs snapshots in FreeBSD. With a direct SMB share I can expose all snapshots to the user, allowing for getting back deleted or modified data up to one year back. I am pretty sure, that all of this would be lost over webdav, when even in Nextcloud it is not fully accessible (only file changes, no directory versions).
prev-vers1

What I have tried so far:

  • Add umask 007 to php-fpm deamon:
[...]
: ${php_fpm_umask="007"}
[…]
php_fpm_prestart()
{
        php_fpm_checkconfig
        checkconfig=$?
        if [ $checkconfig -ne 0  ]; then
                return $checkconfig
        fi

        if [ ! -z "$php_fpm_umask"  ]; then
                echo "Setting umask to: ${php_fpm_umask}"
                umask $php_fpm_umask
        fi
}

Restarting php-fpm outputs following text:

test is successful

Setting umask to: 007
Starting php_fpm.
  • Create home directory for www user, adding umask 007 to .profile, .cshrc, .bashrc, .bash_profile, etc.
  • Create login for www user and have www logged in while testing Nextcloud.
  • ACL with inheritance, seems like they were overridden by the Nextcloud permissions.
  • Directly mounting the user files folder from the host system, without the step over external storage. But, as I found out, file changes outside of Nextcloud are not registered. Probably the reason why the external storage app exists in the first place.
  • Maybe some other stuff too.

All of these tries did not change the permissions on new data. 644/755, no matter what.

My questions now:

  • Of course my main question: how can I set umask for other webservers than Apache Link1 Link2 Link3
  • Or one step back: why is it even necessary to jump through these hoops? Nextcloud allows for authentication via SMB (and others), why does it not handle the data with the real ownership of the authenticated user? How do enterprise customer handle this? Big companies with tight IT policies regarding groups and permissions of their data, I can’t imagine that they just give up on this and allow setting everything to www:www with 777.
  • Why aren’t snapshots not integrated more seamlessly? They are awesome! I can’t imagine being the only one missing this feature? There is a almost four year old feature request on Github for folder versions and one from last year for external storage support. This would make it easier for me to accept to pass on an SMB share.

I am interested to hear any pointers how to solve it or how you guys handle this.
Thanks in advance

Hi @weingeist

TL;DR - Nextloud is not intended to be a web front-end for a traditional file server. It is meant to be a replacement for it.

Don’t know, sorry.

Don’t know. But I consider the External Storage app as an auxiliary solution for special cases and would never use it as my main storage interface.

See my opening sentence. My company for example switched to SharePoint a few years back. As a result, most traditional network shares were abolished and the files were migrated over to SharePoint. After that the data became available only via the SharePoint WebUI and via WebDAV mounts to the users. Same thing when the company of my girlfriend switched to Google Workspaces. Now the management of their personal files and team folders is all done within Google Drive and not via SMB on their servers anymore. In terms of Nextcloud, this would mean that you would use the “sharing” functionality of Nextcloud in order to share files between multiple users, and you would use the WebUI, the Desktop Client or webDAV mounts to make the files available on the client computers. You also would no longer modify permissions directly on the file system level and you would use the app Group Folders. for predefined team folders.

Snapshots have to be handeld differently when you use somthing like Nextcloud. Of course your Nextcloud data folder can live on a ZFS dataset, and you could clone a snapshot and then even restore files from this snapshot. But Nextcloud respective the data base will not be aware about the changes you made directly on file system level. So I dont’t know how easy it would be to integrate a user facing component, that interacts directly with the file system and exposes ZFS snapshots to the user, like the “Windows Shadow Copy” emulation in TrueNAS does via SMB. But it would certainly be a welcome feature :slight_smile:

Hi @bb77

Thank you for your thoughts. I have never thought of Nextcloud as a replacement of SMB, but it would certainly explain some things.

I have read that from a few people, that External Data should not be used as main data integration point. But for me, it was the only choice to couple SMB with Nextcloud. And it has worked without issues (apart from this one permission thing) over the course of the last five years. Until the snapshot integration has progressed, I think I have to further go down this road.

So, I am hoping that maybe someone can help me with the umask. It must be possible: there must be one line of code in some file, that tells php or the www user to use umask 755.

Maybe I can grep the entire file structure for umask or 755…