I have a user account all set up for this Python webapp I'm deploying with mod_wsgi. It's super-unprivileged, and only gets to read from the appdir and write to a separate set of tempdirs which no one else gets to look at. I'm using the following configline:
WSGIDaemonProcess xlsxf_daemon user=xlsxf group=xlsxf
Simple enough. Unfortunately, we then have this from the docs about the user
option:
Note that this option is ignored if Apache wasn't started as the root user, in which case no matter what the settings, the daemon processes will be run as the user that Apache was started as.
Since I'm running this in a default Ubuntu install on Linode, Apache starts as the www-data
user and the Python app I have confirmed is doomed to also run as www-data
. Why the limitation above? I have plenty of ruby/passenger apps that daemonize as other users just fine.
edit: okay, so Apache doesn't start as the www-data
user, but I'm still seeing that the Python webapp runs as www-data
in spite of the above config line. /edit
Alternatively, am I just being overly paranoid here? I have multiple different projects running on this server, and I'd like them all to run as separate users, "just in case", but feel free to tell me that I should just give in and move the permissions over to www-data
.
edit2: As requested, here's all the running apache processes:
root 18798 0.0 1.9 16156 9880 ? Ss Jul26 0:03 /usr/sbin/apache2 -k start
www-data 19344 0.0 1.0 15208 5264 ? S Jul26 0:00 /usr/sbin/apache2 -k start
xlsxf 19361 0.0 1.2 155244 6620 ? Sl Jul26 0:02 /usr/sbin/apache2 -k start
www-data 19379 0.0 3.2 245436 16420 ? Sl Jul26 0:01 /usr/sbin/apache2 -k start
www-data 19380 0.0 3.2 243536 16496 ? Sl Jul26 0:01 /usr/sbin/apache2 -k start