The default umask for non-root users is generally 0002, 775 for folders and 664 for files in any ubuntu server but it seems to be 0022 in this docker image, I am not sure if this is intended or a issue.

scenario:

I am using this image to setup a stack for magento. I have installed composer as well as cron inside this image. It's non-production enviroment so I didn't seperate them into own containers to accommodate for limited hardware resources.

I am using the www-data group as sticky bit to share permissions betwen host and container. The issue arises with files/folders created by cron, composer, php or any other process has umask of 0022, 755 for folders and 644 for files so the files/folders are not writable in host unless sudo, root user or acl is used.

what I have found:

On default ubuntu installation the umask for non-root user is set by the pam_umask.so module. It normally reads from login.defs which has a entry called USERGROUPS_ENAB which converts umask to 0002 for non-root user which has same same uid and gid.

The module is generally called from /etc/pam.d/common-session , this image seems to be missing the module call in this file as well.

what I have tried:

1. manually adding session optional pam_umask.so at end of /etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive , this does seems to load the umask value from login.defs, if I change the value it gets reflected but the non-root user umask due to USERGROUPS_ENAB still does not work.

2. manually adding session optional pam_umask.so at end of /etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive as well as adding umask=0002 in www-data /etc/passwd gecos field, this works as desired. I can even load the module in pam.d/cron and cron tasks umask is 0002 now.

3. lastly, for docker exec command which I use to run composer as www-data, pam_umask module seems to make no difference, for this adding umask=0002 in www-data user's home .bashrc does the job.

what I want to know:

1. why the USEGROUPS_ENAB is failing to set 0002 umask for non-root user www-data, I even created totally new user the umask is still 0022 with USERGROUPS_ENAB, adding umask to gecos field works here as well.

2. why is docker exec -it -u www-data $container_name /bin/bash not using pam_umask set value, only .bashrc works for this or if I manually do su www-data -s /bin/bash from root exec pam_umask value is set correctly as well.

Thank you for reading it, I have done my best to make it brief. I am hoping to get some insights on this.