Opened 16 years ago

Closed 13 years ago

Last modified 12 years ago

#7616 closed Uncategorized (fixed)

fcgi and socket file permissions

Reported by: Malcolm Tredinnick Owned by: Gabriel Hurley
Component: Documentation Version: dev
Severity: Normal Keywords: deployment
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Following the change in [7800], the default permissions on the socket that is created if you are using runserver in fastcgi and socket-file mode are much more restrictive than they were. This is a Good Thing.

However, as noted in #7615, this might catch people out if they aren't thinking about permissions and using this mode of operation. So we need a documentation patch somewhere to explain that either the webserver and Django should be run as the same user, or (probably better), as the same group with a slightly relaxed umask setting (002, maybe?). This only applies to the socket case for fastcgi, so it will require writing something that is clear without overwhelming any other useful information (it's a bit of an edge-case and a sysadmin will already know it, but not everybody is a sysadmin, sadly).

Attachments (1)

7616_umask_warning.diff (921 bytes ) - added by Gabriel Hurley 13 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 by Malcolm Tredinnick, 16 years ago

Triage Stage: UnreviewedAccepted

comment:2 by Andres Riofrio, 15 years ago

Yes! Please! I had no idea why my setup wasn't working.

And still, I don't know how to run the fastcgi server as the same group. sudo -u www-data will change it to the same user (and group), but how do you change only the group? Thanks. :)

comment:3 by Gabriel Hurley, 13 years ago

Keywords: deployment added

by Gabriel Hurley, 13 years ago

Attachment: 7616_umask_warning.diff added

comment:4 by Gabriel Hurley, 13 years ago

Has patch: set
milestone: 1.3
Owner: changed from nobody to Gabriel Hurley
Status: newassigned
Triage Stage: AcceptedReady for checkin

I've added a patch with what I believe to be a factually accurate warning in it. I've had it reviewed once by a sysadmin already, but if someone else could verify that the advice provided is correct, I'll go ahead and commit it.

comment:5 by Gabriel Hurley, 13 years ago

Resolution: fixed
Status: assignedclosed

(In [14276]) Fixed #7616 -- Added advice on unix socket permissions and umasks to fastcgi deployment documentation. Thanks to Malcolm Tredinnick for the report and advice, and PaulM and cramm for reviewing the patch.

comment:6 by Gabriel Hurley, 13 years ago

(In [14277]) [1.2.X] Fixed #7616 -- Added advice on unix socket permissions and umasks to fastcgi deployment documentation. Thanks to Malcolm Tredinnick for the report and advice, and PaulM and cramm for reviewing the patch.

Backport of [14276] from trunk.

comment:7 by Jacob, 12 years ago

milestone: 1.3

Milestone 1.3 deleted

comment:8 by joerg@…, 12 years ago

Easy pickings: unset
Severity: Normal
Type: Uncategorized
UI/UX: unset

Wouldn't it be a better idea to apply the patch from #14958? It does allow safely specifying the umask without further hacks.

Note: See TracTickets for help on using tickets.
Back to Top