Opened 8 years ago

Closed 6 years ago

Last modified 5 years ago

#7616 closed Uncategorized (fixed)

fcgi and socket file permissions

Reported by: Malcolm Tredinnick Owned by: Gabriel Hurley
Component: Documentation Version: master
Severity: Normal Keywords: deployment
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Following the change in [7800], the default permissions on the socket that is created if you are using runserver in fastcgi and socket-file mode are much more restrictive than they were. This is a Good Thing.

However, as noted in #7615, this might catch people out if they aren't thinking about permissions and using this mode of operation. So we need a documentation patch somewhere to explain that either the webserver and Django should be run as the same user, or (probably better), as the same group with a slightly relaxed umask setting (002, maybe?). This only applies to the socket case for fastcgi, so it will require writing something that is clear without overwhelming any other useful information (it's a bit of an edge-case and a sysadmin will already know it, but not everybody is a sysadmin, sadly).

Attachments (1)

7616_umask_warning.diff (921 bytes) - added by Gabriel Hurley 6 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 8 years ago by Malcolm Tredinnick

Triage Stage: UnreviewedAccepted

comment:2 Changed 8 years ago by Andres Riofrio

Yes! Please! I had no idea why my setup wasn't working.

And still, I don't know how to run the fastcgi server as the same group. sudo -u www-data will change it to the same user (and group), but how do you change only the group? Thanks. :)

comment:3 Changed 6 years ago by Gabriel Hurley

Keywords: deployment added

Changed 6 years ago by Gabriel Hurley

Attachment: 7616_umask_warning.diff added

comment:4 Changed 6 years ago by Gabriel Hurley

Has patch: set
milestone: 1.3
Owner: changed from nobody to Gabriel Hurley
Status: newassigned
Triage Stage: AcceptedReady for checkin

I've added a patch with what I believe to be a factually accurate warning in it. I've had it reviewed once by a sysadmin already, but if someone else could verify that the advice provided is correct, I'll go ahead and commit it.

comment:5 Changed 6 years ago by Gabriel Hurley

Resolution: fixed
Status: assignedclosed

(In [14276]) Fixed #7616 -- Added advice on unix socket permissions and umasks to fastcgi deployment documentation. Thanks to Malcolm Tredinnick for the report and advice, and PaulM and cramm for reviewing the patch.

comment:6 Changed 6 years ago by Gabriel Hurley

(In [14277]) [1.2.X] Fixed #7616 -- Added advice on unix socket permissions and umasks to fastcgi deployment documentation. Thanks to Malcolm Tredinnick for the report and advice, and PaulM and cramm for reviewing the patch.

Backport of [14276] from trunk.

comment:7 Changed 5 years ago by Jacob

milestone: 1.3

Milestone 1.3 deleted

comment:8 Changed 5 years ago by joerg@…

Easy pickings: unset
Severity: Normal
Type: Uncategorized
UI/UX: unset

Wouldn't it be a better idea to apply the patch from #14958? It does allow safely specifying the umask without further hacks.

Note: See TracTickets for help on using tickets.
Back to Top