I noted the topic about the data files for interactive batch_connect jobs having permissions set to 700 (#4047), but the ~/ondemand directory itself is created with 755 permissions. Is there a configuration variable somewhere that would allow me to set that entire directory tree to 700 permissions from the very start? If not, can you point me to the source file where I can edit that parameter myself?
Digging through the OOD source and thinking about the architecture, I realized that the dashboard app is most likely the one that actually creates the directory (it could also be the jobs app, but the dashboard comes first usually). None of the ‘mkdir’ or ‘mkpath’ calls specified a mode (except for the batch_connect module discussed in the previous article), so it was most likely deriving its umask from the apache parent process, which pulls it from the system itself.
More research led to the /etc/pam.d/system-auth file as the way to set umask for all systemd created processes. Given that we run OOD inside its own podman container, I just added this line to the bottom of that file in my container:
session optional pam_umask.so umask=077
That did the trick. When I delete the directory and let OOD re-create it, it comes back with 700 permissions. I realize it is a crowbar approach and I need to do more testing to see if there are any unintended side effects – so if there is a more elegant way to do it within the OOD source, I’m open …