From dd981dc799362d47387da584e1a276bbd1f1bd1b Mon Sep 17 00:00:00 2001
From: David Coppit <david@coppit.org>
Date: Fri, 26 Jun 2015 01:08:53 -0400
Subject: [PATCH] Add umask support

---
 README.md   | 13 +++++++++----
 monitor.sh  |  2 +-
 runas.sh    | 10 +++++++++-
 sample.conf |  6 ++++--
 4 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 01c9c1a..107d6c4 100644
--- a/README.md
+++ b/README.md
@@ -49,10 +49,13 @@ and "wheel" groups:
 
 `-e UMAP="nobody:99:100 www:80:800" -e GMAP="users:100 wheel:800"`
 
-For commands that create files without an explicit user or group name, you may want to set the `USER_ID` and `GROUP_ID`
-in the config file.  For example, if your command is `echo foo > /dir1/foo.txt`, then by default the file will be
-created as the "root" user of the container. If you want it to be created with the user ID and group ID of "nobody" in
-the host, you would set these config values to the output of `id -u nobody` and `id -g nobody` in the host.
+For commands that create files without an explicit user or group name, you may want to set the `USER_ID`, `GROUP_ID`,
+and `UMASK` in the config file.  For example, if your command is `echo foo > /dir1/foo.txt`, then by default the file
+will be created as the "root" user of the container. If you want it to be created with the user ID and group ID of
+"nobody" in the host, you would set these config values to the output of `id -u nobody` and `id -g nobody` in the host.
+
+Similarly, you may want to set the `UMASK` to match the host. As root you can run `su -l nobody -c umask` on the host to
+determine the umask for the "nobody" user. The `UMASK` config value must be specified in octal, such as 0022.
 
 Examples
 --------
@@ -67,6 +70,7 @@ This example is to run a permissions-repairing utility whenever there's a change
     # Need to run as root to have the authority to fix the permissions
     USER_ID=0
     GROUP_ID=0
+    UMASK=0000
     # This is important because chmod/chown will change files in the monitored directory
     IGNORE_EVENTS_WHILE_COMMAND_IS_RUNNING=1
 
@@ -86,6 +90,7 @@ This example tells SageTV to rescan its imported media when the media directory
     # User and group don't really matter for the wget command. But we need to specify them in the config file.
     USER_ID=0
     GROUP_ID=0
+    UMASK=0000
     IGNORE_EVENTS_WHILE_COMMAND_IS_RUNNING=0
 
 We don't need to ignore events while the command is running because the wget command is a "fire and forget" asynchronous
diff --git a/monitor.sh b/monitor.sh
index 82fa08f..63f3a1b 100755
--- a/monitor.sh
+++ b/monitor.sh
@@ -220,7 +220,7 @@ do
     wait_for_minimum_period $last_run_time
 
     echo "$(ts) Running command with user ID $USER_ID and group ID $GROUP_ID"
-    /files/runas.sh $USER_ID $GROUP_ID $COMMAND &
+    /files/runas.sh $USER_ID $GROUP_ID $UMASK $COMMAND &
     PID=$!
     last_run_time=$(date +"%s")
 
diff --git a/runas.sh b/runas.sh
index d7056f5..8e9b6a4 100755
--- a/runas.sh
+++ b/runas.sh
@@ -12,6 +12,7 @@ function process_args {
   # These are intended to be global
   USER_ID=$1
   GROUP_ID=$2
+  UMASK=$3
 
   if [[ ! "$USER_ID" =~ ^[0-9]{1,}$ ]]
   then
@@ -24,6 +25,12 @@ function process_args {
     echo "Group ID value $GROUP_ID is not valid. It must be a whole number"
     exit 1
   fi
+
+  if [[ ! "$UMASK" =~ ^[0-7][0-7][0-7][0-7]$ ]]
+  then
+    echo "The umask value $UMASK is not valid. It must be an octal number such as 0022"
+    exit 1
+  fi
 }
 
 #-----------------------------------------------------------------------------------------------------------------------
@@ -56,9 +63,10 @@ function create_user {
 process_args "$@"
 
 # Shift off the args so that we can exec $@ below
-shift; shift
+shift; shift; shift
 
 create_user $USER_ID $GROUP_ID
 
 echo "$(ts) Running command as user \"$USER\"..."
+umask $UMASK
 exec /sbin/setuser $USER "$@"
diff --git a/sample.conf b/sample.conf
index 77ac6a2..2aa50f3 100644
--- a/sample.conf
+++ b/sample.conf
@@ -27,10 +27,12 @@ MIN_PERIOD=10:00
 # that we've installed the plugin called "sagex-services - SageTV Remote API Services".
 COMMAND="wget -nv -O /dev/null --auth-no-challenge http://sage:frey@192.168.1.102:8080/sagex/api?c=RunLibraryImportScan&1="
 
-# Set the user and group ID that you want to run the command as. The user will be randomly generated. This is mostly so
-# that files written by the command in any directory shared with the host will have the right IDs.
+# Set the user and group ID that you want to run the command as, as well as the umask. The user will be randomly
+# generated. This is mostly so that files written by the command in any directory shared with the host will have the
+# right IDs.
 USER_ID=0
 GROUP_ID=0
+UMASK=0
 
 # This is a very good idea if your command modifies the WATCH_DIR in any way. You can easily trigger yourself because
 # most programs don't worry about checking the current state before making a change. e.g. chmod will set the mode of a