How to override default permissions for files stored by Apache/PHP in /tmp?

I am on Linux, obviously. PHP scripts seem to be running under 'www-data' user. I can also see that uploaded files end up in the default /tmp directory, each with a name prepended by "php". All standard, I guess. The permissions of all these files is -rw------- i.e. 600, user 'www-data', group 'www-data'. The problem is that I have a PostgresQL database server running under user 'postgres' which needs to be able to read these files because it inserts their contents into a database. Currently it cannot, obviously. Of course, as a rule, database queries and functions operate under whoever user connects to the database (I connect as 'www-data' as well), but here we are talking about server side functions which HAVE to be invoked as 'postgres'. This is a PostgresQL limitation, for better or worse.

I do consider security in mind, but I think the worl开发者_运维问答d will not go under if I allow either postgres to read these files, or relax permissions of these files.

How do I control the permissions that these files are created with? Obviously PHP creates them itself, e.g. on POST file upload, but I cannot find any configuration switches. Also, my /tmp has permissions 'drwxrwxrwt' (777) and is owned by user 'root', group 'root'.

I tried to change the upload directory with 'php_value upload_tmp_dir ' but it has no effect, it seems - PHP still stores temporary files in /tmp.

I do NOT want to use with 'move_uploaded_file' or 'chmod', since they write to the filesystem, and I want to avoid that, other than the database server inserting record(s).

You could try changing the umask settings for Apache in /etc/apache2/envvars

I haven't tried this, but with it added to my envvars file, it would look like this:

# envvars - default environment variables for apache2ctl

# Since there is no sane way to get the parsed apache2 config in scripts, some
# settings are defined via environment variables and then used in apache2ctl,
# /etc/init.d/apache2, /etc/logrotate.d/apache2, etc.
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
export APACHE_PID_FILE=/var/run/apache2.pid

## The locale used by some modules like mod_dav
export LANG=C
## Uncomment the following line to use the system default locale instead:
#. /etc/default/locale

export LANG

umask 022

As far as I know, this will make Apache create files with permission 644. rw-r--r--

Change your script to chmod() the files after uploading?