What permissions are needed for apache Passenger

ruby-on-rails ruby-on-rails-3
14,423

Permissions on web sites is a little strange: on the one hand, the content needs to be readable by the webserver and FastCGI or Passenger or whatever executes the (in this case, Ruby) code. On the other hand, if the webserver user owns the files, then a hacked webserver or (more likely :) your code could modify the executable files and static files that are your website. It happens too often.

If the content of the website is owned by some other user, not writable by the web server software, then the website can not be overwritten by attackers. (Of course, you have a few open sockets to a database connection; all the database backed data can be corrupted by attackers. Also, any directory where you allow uploads could be corrupted by attackers. But the goal is to reduce the privileges of the software as far as reasonable.)

So, all that said, on to your specific question; your webserver software runs as www-data, and it makes sense for your log files and upload directory to be owned by www-data:

mkdir -p /srv/www/mysite.com/testapp/log/   # might not exist yet
chown -R pcasa:pcasa /srv/www/mysite.com/   # or some other user
chmod 755 /srv/www/mysite.com
chmod 755 /srv/www/mysite.com/testapp/
# populate the app directory with your files, if you haven't done so already
chown -R www-data:www-data /srv/www/mysite.com/testapp/log
chmod 755 /srv/www/mysite.com/testapp/log   # see notes
chmod 644 /srv/www/mysite.com/testapp/log/* # see notes

I made the assumption that all users on your system can read the log. This might not be true. Use 700 in place of 755 and 600 in place of 644 if you don't want all system users to read the log files.

Next, for your uploads directory:

mkdir -p /srv/www/mysite.com/testapp/public/uploads/tmp  # might not exist yet
chown -R www-data:www-data /srv/www/mysite.com/testapp/public/uploads
chmod 755 /srv/www/mysite.com/testapp/public/uploads
chmod 755 /srv/www/mysite.com/testapp/public/uploads/tmp

Again, I've made the assumption that all users on your system can be able to see all the uploaded content. Use 700 in place of 755 if you just want the webserver software to be able to read the files.

These are simple guidelines that should work; you can get more complicated if you want to keep the website software and content shared only between the user that owns the website and the user that runs the website, by running the webserver with a supplementary group (see newgrp(1) and group(5) manpages for details) and giving the files the same group owner, and using the group permission bits (the middle octal number: 750 vs 700). It's complicated enough that unless you've got a good reason, it's probably not worth going down this route. (Definitely worth doing once on a development machine somewhere, just so you're familiar enough with it that you can use it in the future. :)

Share:
14,423
pcasa
Author by

pcasa

Updated on August 26, 2022

Comments

  • pcasa
    pcasa over 1 year

    Running Ubuntu 10.04 on Linode, RVM, Rails 3, Apache with Passenger module, carrierwave and mini-magick

    I get:

    Rails Error: Unable to access log file. Please ensure that /srv/www/mysite.com/testapp/log/production.log exists and is chmod 0666. The log level has been raised to WARN and the output directed to STDERR until the problem is fixed.

    and Errno::EACCES (Permission denied /srv/www/mysite.com/testapp/public/uploads/tmp/20110517-1707-2938-6455):

    I ran chmod -R root:root /srv/www/mysite.com/testapp

    Then: chmod -R www-data:www-data /srv/www/mysite.com/testapp & chmod -R www-data:www-data /srv/www/mysite.com/testapp/public/uploads

    Since the only 2 directories that should be writable is the log files and uploads directory I tried to secure the rest. Are there any other folders / files that I need to make writable?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Remove 'Show' link from ActiveAdmin default_actions
How do you run and debug Ruby on Rails from Visual Studio Code?
Using after_commit only on create
How to build task 'db:populate'
How do I get full URL to an image in a Rails asynchronous mailer?
How do I add Honey pot fields to my forms?
What is the difference between render and yield in Rails
When should i use DateTime vs date, time fields in ruby/rails?
comparison of Date with ActiveSupport::TimeWithZone failed
I18n: How to check if a translation key/value pairs is missing?