All,

We receive the following error when installing foreman into our CentOS 7.2 instance [3].

We are required to run httpd with a umask [1], per STIG V-2259.
This results in a systemd service with the following², as a result, files in /usr/share/foreman/tmp/ are created with insufficient privileges.

The sub-process accessing these files is not running as foreman;
I suggest;
- The cache-file management algorithm create files with the explicit permissions to be later accessed.
- The sub-process accessing these files run in the correct context (U/G/O).

I understand this issue is somewhat created by the umask and understand this bug may be rejected.

Sincerely,
RM

[1]
cat /usr/lib/systemd/system/httpd.service
<snip />
[Service]
<snip />
UMask=0177

[2]
[06:07:00 root@hostname dir]# ll /usr/share/foreman/tmp/cache/
total 0
drw-------. 2 foreman foreman 40 Oct 11 05:48 69D
drw-------. 2 foreman foreman 40 Oct 11 05:48 794
drwx------. 3 foreman foreman 60 Oct 11 05:30 7D5

[3]
Permission denied @ dir_s_mkdir - /usr/share/foreman/tmp/cache/794/F40 (Errno::EACCES)
/opt/rh/rh-ruby22/root/usr/share/ruby/fileutils.rb:252:in `mkdir'
/opt/rh/rh-ruby22/root/usr/share/ruby/fileutils.rb:252:in `fu_mkdir'
/opt/rh/rh-ruby22/root/usr/share/ruby/fileutils.rb:226:in `block (2 levels) in mkdir_p'
/opt/rh/rh-ruby22/root/usr/share/ruby/fileutils.rb:224:in `reverse_each'
/opt/rh/rh-ruby22/root/usr/share/ruby/fileutils.rb:224:in `block in mkdir_p'
/opt/rh/rh-ruby22/root/usr/share/ruby/fileutils.rb:210:in `each'
/opt/rh/rh-ruby22/root/usr/share/ruby/fileutils.rb:210:in `mkdir_p'
<snip />