Opened 7 years ago

Closed 4 years ago

Last modified 3 years ago

#7616 closed Uncategorized (fixed)

fcgi and socket file permissions

Reported by: mtredinnick Owned by: gabrielhurley
Component: Documentation Version: master
Severity: Normal Keywords: deployment
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Following the change in [7800], the default permissions on the socket that is created if you are using runserver in fastcgi and socket-file mode are much more restrictive than they were. This is a Good Thing.

However, as noted in #7615, this might catch people out if they aren't thinking about permissions and using this mode of operation. So we need a documentation patch somewhere to explain that either the webserver and Django should be run as the same user, or (probably better), as the same group with a slightly relaxed umask setting (002, maybe?). This only applies to the socket case for fastcgi, so it will require writing something that is clear without overwhelming any other useful information (it's a bit of an edge-case and a sysadmin will already know it, but not everybody is a sysadmin, sadly).

Attachments (1)

7616_umask_warning.diff (921 bytes) - added by gabrielhurley 4 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 7 years ago by mtredinnick

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

comment:2 Changed 6 years ago by andresj

Yes! Please! I had no idea why my setup wasn't working.

And still, I don't know how to run the fastcgi server as the same group. sudo -u www-data will change it to the same user (and group), but how do you change only the group? Thanks. :)

comment:3 Changed 4 years ago by gabrielhurley

  • Keywords deployment added

Changed 4 years ago by gabrielhurley

comment:4 Changed 4 years ago by gabrielhurley

  • Has patch set
  • milestone set to 1.3
  • Owner changed from nobody to gabrielhurley
  • Status changed from new to assigned
  • Triage Stage changed from Accepted to Ready for checkin

I've added a patch with what I believe to be a factually accurate warning in it. I've had it reviewed once by a sysadmin already, but if someone else could verify that the advice provided is correct, I'll go ahead and commit it.

comment:5 Changed 4 years ago by gabrielhurley

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [14276]) Fixed #7616 -- Added advice on unix socket permissions and umasks to fastcgi deployment documentation. Thanks to Malcolm Tredinnick for the report and advice, and PaulM and cramm for reviewing the patch.

comment:6 Changed 4 years ago by gabrielhurley

(In [14277]) [1.2.X] Fixed #7616 -- Added advice on unix socket permissions and umasks to fastcgi deployment documentation. Thanks to Malcolm Tredinnick for the report and advice, and PaulM and cramm for reviewing the patch.

Backport of [14276] from trunk.

comment:7 Changed 3 years ago by jacob

  • milestone 1.3 deleted

Milestone 1.3 deleted

comment:8 Changed 3 years ago by joerg@…

  • Easy pickings unset
  • Severity set to Normal
  • Type set to Uncategorized
  • UI/UX unset

Wouldn't it be a better idea to apply the patch from #14958? It does allow safely specifying the umask without further hacks.

Note: See TracTickets for help on using tickets.
Back to Top