Processes in user groups like
www-data might create and share common files (like
sockets) that need to be
read/write accessible in the group (
mode_t 660). The effective file permission of
O_CREAT is evaluated by
mode & ~umask. That means, even if a process tries to create a file with
660 permission it will be downgraded to
640 as the default process
0022. This patch will set the process
umask to 0002 (that will only remove o+w permission).
Common tools like
nginx are prepared in the same way already (
umask 0002 or lower).