diff --git a/lib/fluent/supervisor.rb b/lib/fluent/supervisor.rb
index 34d9dadceb..ccb633fe61 100644
--- a/lib/fluent/supervisor.rb
+++ b/lib/fluent/supervisor.rb
@@ -589,6 +589,7 @@ def self.serverengine_config(params = {})
chuser: params['chuser'],
chgroup: params['chgroup'],
chumask: params['chumask'].is_a?(Integer) ? params['chumask'] : params['chumask']&.to_i(8),
+ umask: params['umask'],
daemonize: daemonize,
rpc_endpoint: params['rpc_endpoint'],
counter_server: params['counter_server'],
@@ -760,6 +761,11 @@ def run_worker
if @standalone_worker && @system_config.workers != 1
raise Fluent::ConfigError, "invalid number of workers (must be 1 or unspecified) with --no-supervisor: #{@system_config.workers}"
end
+
+ if @system_config.umask
+ File.umask(@system_config.umask)
+ $log.info "Worker applied system umask", umask: sprintf("%04o", @system_config.umask)
+ end
if Fluent.windows? && @system_config.with_source_only
raise Fluent::ConfigError, "with-source-only is not supported on Windows"
@@ -1202,6 +1208,10 @@ def build_system_config(conf)
end
end
system_config.overwrite_variables(**opt)
+ if system_config.umask
+ File.umask(system_config.umask)
+ $log.info "Applied system umask", umask: sprintf("%04o", system_config.umask)
+ end
system_config
end
diff --git a/lib/fluent/system_config.rb b/lib/fluent/system_config.rb
index 630a8ae28f..3c0854c187 100644
--- a/lib/fluent/system_config.rb
+++ b/lib/fluent/system_config.rb
@@ -30,7 +30,7 @@ class SystemConfig
:file_permission, :dir_permission, :counter_server, :counter_client,
:strict_config_value, :enable_msgpack_time_support, :disable_shared_socket,
:metrics, :enable_input_metrics, :enable_size_metrics, :enable_jit, :source_only_buffer,
- :config_include_dir
+ :config_include_dir,:umask
]
config_param :workers, :integer, default: 1
@@ -61,6 +61,7 @@ class SystemConfig
v.to_i(8)
end
config_param :config_include_dir, default: Fluent::DEFAULT_CONFIG_INCLUDE_DIR
+ config_param :umask, :string, default: nil, pattern: /\A[0-7]{3,4}\z/
config_section :log, required: false, init: true, multi: false do
config_param :path, :string, default: nil
config_param :format, :enum, list: [:text, :json], default: :text
@@ -144,6 +145,7 @@ def initialize(conf=nil, strict_config_value=false)
super()
conf ||= SystemConfig.blank_system_config
configure(conf, strict_config_value)
+ @umask = @umask ? @umask.to_i(8) : nil
end
def configure(conf, strict_config_value=false)
diff --git a/test/config/test_system_config.rb b/test/config/test_system_config.rb
index 9a37a3d272..748710e33d 100644
--- a/test/config/test_system_config.rb
+++ b/test/config/test_system_config.rb
@@ -89,6 +89,7 @@ def parse_text(text)
'restart_worker_interval' => ['restart_worker_interval', 60],
'root_dir' => ['root_dir', File.join(TMP_DIR, 'root')],
'log_level' => ['log_level', 'error'],
+ 'umask' => ['umask', '0022'],
'suppress_repeated_stacktrace' => ['suppress_repeated_stacktrace', true],
'ignore_repeated_log_interval' => ['ignore_repeated_log_interval', 10],
'log_event_verbose' => ['log_event_verbose', true],
@@ -112,6 +113,8 @@ def parse_text(text)
sc.overwrite_variables(**s.for_system_config)
if k == 'log_level'
assert_equal(Fluent::Log::LEVEL_ERROR, sc.__send__(k))
+ elsif k == 'umask'
+ assert_equal(0o022, sc.__send__(k))
else
assert_equal(v, sc.__send__(k))
end
@@ -237,5 +240,37 @@ def parse_text(text)
]
)
end
+ sub_test_case 'umask parameter' do
+ test 'valid 3-digit octal' do
+ conf = parse_text(<<-EOS)
+
+ umask 022
+
+ EOS
+ sc = Fluent::SystemConfig.new(conf)
+ assert_equal 0o22, sc.umask
+ end
+
+ test 'valid 4-digit octal' do
+ conf = parse_text(<<-EOS)
+
+ umask 0022
+
+ EOS
+ sc = Fluent::SystemConfig.new(conf)
+ assert_equal 0o22, sc.umask
+ end
+
+ test 'invalid non-octal digits' do
+ assert_raise(Fluent::ConfigError) do
+ parse_text(<<-EOS)
+
+ umask 888
+
+ EOS
+ end
+ end
+ end
+
end
end