3

I have a user account all set up for this Python webapp I'm deploying with mod_wsgi. It's super-unprivileged, and only gets to read from the appdir and write to a separate set of tempdirs which no one else gets to look at. I'm using the following configline:

WSGIDaemonProcess xlsxf_daemon user=xlsxf group=xlsxf

Simple enough. Unfortunately, we then have this from the docs about the user option:

Note that this option is ignored if Apache wasn't started as the root user, in which case no matter what the settings, the daemon processes will be run as the user that Apache was started as.

Since I'm running this in a default Ubuntu install on Linode, Apache starts as the www-data user and the Python app I have confirmed is doomed to also run as www-data. Why the limitation above? I have plenty of ruby/passenger apps that daemonize as other users just fine.

edit: okay, so Apache doesn't start as the www-data user, but I'm still seeing that the Python webapp runs as www-data in spite of the above config line. /edit

Alternatively, am I just being overly paranoid here? I have multiple different projects running on this server, and I'd like them all to run as separate users, "just in case", but feel free to tell me that I should just give in and move the permissions over to www-data.

edit2: As requested, here's all the running apache processes:

root     18798  0.0  1.9  16156  9880 ?        Ss   Jul26   0:03 /usr/sbin/apache2 -k start
www-data 19344  0.0  1.0  15208  5264 ?        S    Jul26   0:00 /usr/sbin/apache2 -k start
xlsxf    19361  0.0  1.2 155244  6620 ?        Sl   Jul26   0:02 /usr/sbin/apache2 -k start
www-data 19379  0.0  3.2 245436 16420 ?        Sl   Jul26   0:01 /usr/sbin/apache2 -k start
www-data 19380  0.0  3.2 243536 16496 ?        Sl   Jul26   0:01 /usr/sbin/apache2 -k start
Improve this question

2 Answers 2

Reset to default
3

You are reading it wrong. Apache does start as 'root' and the parent Apache process stays as 'root', only the Apache server child process run as 'www-data'. The mod_wsgi daemon processes are forked from the parent 'root' process and so will still be able to change to that user.

What the comment is saying is that if you start Apache from a totally non privileged account, eg., as you out of an install of Apache in your home directory or elsewhere, then since it doesn't start as 'root' it can't change user id of daemon processes. Apache started from system init scripts though is always started as 'root' though and should be no issue.

Improve this answer
7
  • I believe what you're saying, but what I'm seeing is that despite the above config line, the Python webprocess is still starting up as www-data. Any thoughts about why that may be? Thanks!
    – issa marie tseng
    Jul 26, 2011 at 17:38
  • Do a 'ps auxwwww | grep httpd' and add the result to your question. Process may also be called 'apache2'. Don't remember what Ubuntu calls it.
    – Graham Dumpleton
    Jul 27, 2011 at 3:44
  • So, there is an apache2 process running under the xlsxf user, but this was actually what made it so difficult to figure out what was going on in the first place: despite the existence of that process, wherever the actual Python app is running, the user is still www-data (reads/writes files as that user; returns that username when I do a getpass.getuser()). Perhaps something else is wrong with my config then?
    – issa marie tseng
    Jul 27, 2011 at 4:16
  • 1
    Then you are missing WSGIProcessGroup in your configuration. Review the instructions at code.google.com/p/modwsgi/wiki/…
    – Graham Dumpleton
    Jul 27, 2011 at 5:50
  • Bam. Thank you. I wish I could give you more points.
    – issa marie tseng
    Jul 27, 2011 at 7:32
1

user and group does work if you have your WSGIDaemonProcess config line correct. I have used it myself.

Here are my config lines

WSGISocketPrefix /var/run/wsgi

<VirtualHost xx.xx.xx.xx:80>

WSGIDaemonProcess somedomain.com user=somedomain group=somedomain python-path=/home/somedomain/mysite:/home/somedomain/venv/myvenv/lib/python2.7/site-packages
...
...
...
</VirtualHost>

However, you generally do not want to do this for security reasons. If you run your web server as the same user that has write permissions to your /home webfolder that is a security risk. You are usually better off omitting those and letting it run as the default apache user. Just make sure apache belongs to the group that has read and execute permissions to your web folder.

NOTE: See how I have that WSGISocketPrefix /var/run/wsgi outside the virtual host section. WSGI daemon would not work without that.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .