Problem Definition

Below warning message commonly shows up when starting Bitbucket via script:

 "......Bitbucket is being run with a umask that contains potentially unsafe settings.
The following issues were found with the mask "u=rwx,g=rwx,o=rx" (0002):
- Access is allowed to 'others'. It is recommended that 'others' be denied
all access for security reasons.
- Write access is allowed to 'group'. It is recommend that 'group' be
denied write access. Read access to a restricted group is recommended
to allow access to the logs.
The recommended umask for Bitbucket is "u=,g=w,o=rwx" (0027) and can be
configured in _start-webapp.sh

The current open files limit is set to less than 4096
Attempting to increase limit...
Limit increased to 4096 open files

Starting Bitbucket webapp at http://localhost:7990
The Bitbucket webapp has been started......" 

• Some Bitbucket administrators may consider that this message is "spamming" their terminal and ask why the recommended umask is not set by default and why it has to be updated manually. I will share further insights below:
  • Actually, when the default installation procedure (Run as root and create a service user) is followed, Bitbucket will be set to run with a 0027 mask (and that warning won't show up).
  • Otherwise, the system administrator will be responsible for setting the correct umask based on his team security needs.
  • We don't overwrite it in this case, as his team could be using a more restrictive setting so we wouldn’t want to override that and inadvertently reduce security without warning.

Suggested Solution

• Considering the explanation above and knowing that the umask default value cannot be set to 0027 in all cases, our suggestion here is to change the default behavior to be at least 0027 specifically if the user is created with a more permissive mask.
• This should reduce the number of situations in which the change has to be manually performed.

Why this is important

• More efficiency.
• Reduce Bitbucket administrator and system administrator effort.