WSGIDaemonProcess: specifying a user

apache-2.2 python mod-wsgi wsgi
8,633

You are reading it wrong. Apache does start as 'root' and the parent Apache process stays as 'root', only the Apache server child process run as 'www-data'. The mod_wsgi daemon processes are forked from the parent 'root' process and so will still be able to change to that user.

What the comment is saying is that if you start Apache from a totally non privileged account, eg., as you out of an install of Apache in your home directory or elsewhere, then since it doesn't start as 'root' it can't change user id of daemon processes. Apache started from system init scripts though is always started as 'root' though and should be no issue.

Share:
8,633

Related videos on Youtube

issa marie tseng
Author by

issa marie tseng

i believe in the wholeness of things • i fight for the users • i make things • i play music http://github.com/issa-tseng

Updated on September 18, 2022

Comments

  • issa marie tseng
    issa marie tseng almost 2 years

    I have a user account all set up for this Python webapp I'm deploying with mod_wsgi. It's super-unprivileged, and only gets to read from the appdir and write to a separate set of tempdirs which no one else gets to look at. I'm using the following configline:

    WSGIDaemonProcess xlsxf_daemon user=xlsxf group=xlsxf

    Simple enough. Unfortunately, we then have this from the docs about the user option:

    Note that this option is ignored if Apache wasn't started as the root user, in which case no matter what the settings, the daemon processes will be run as the user that Apache was started as.

    Since I'm running this in a default Ubuntu install on Linode, Apache starts as the www-data user and the Python app I have confirmed is doomed to also run as www-data. Why the limitation above? I have plenty of ruby/passenger apps that daemonize as other users just fine.

    edit: okay, so Apache doesn't start as the www-data user, but I'm still seeing that the Python webapp runs as www-data in spite of the above config line. /edit

    Alternatively, am I just being overly paranoid here? I have multiple different projects running on this server, and I'd like them all to run as separate users, "just in case", but feel free to tell me that I should just give in and move the permissions over to www-data.

    edit2: As requested, here's all the running apache processes:

    root     18798  0.0  1.9  16156  9880 ?        Ss   Jul26   0:03 /usr/sbin/apache2 -k start
www-data 19344  0.0  1.0  15208  5264 ?        S    Jul26   0:00 /usr/sbin/apache2 -k start
xlsxf    19361  0.0  1.2 155244  6620 ?        Sl   Jul26   0:02 /usr/sbin/apache2 -k start
www-data 19379  0.0  3.2 245436 16420 ?        Sl   Jul26   0:01 /usr/sbin/apache2 -k start
www-data 19380  0.0  3.2 243536 16496 ?        Sl   Jul26   0:01 /usr/sbin/apache2 -k start
  • issa marie tseng
    issa marie tseng almost 13 years
    I believe what you're saying, but what I'm seeing is that despite the above config line, the Python webprocess is still starting up as www-data. Any thoughts about why that may be? Thanks!
  • Graham Dumpleton
    Graham Dumpleton almost 13 years
    Do a 'ps auxwwww | grep httpd' and add the result to your question. Process may also be called 'apache2'. Don't remember what Ubuntu calls it.
  • issa marie tseng
    issa marie tseng almost 13 years
    So, there is an apache2 process running under the xlsxf user, but this was actually what made it so difficult to figure out what was going on in the first place: despite the existence of that process, wherever the actual Python app is running, the user is still www-data (reads/writes files as that user; returns that username when I do a getpass.getuser()). Perhaps something else is wrong with my config then?
  • Graham Dumpleton
    Graham Dumpleton almost 13 years
    Then you are missing WSGIProcessGroup in your configuration. Review the instructions at code.google.com/p/modwsgi/wiki/…
  • issa marie tseng
    issa marie tseng almost 13 years
    Bam. Thank you. I wish I could give you more points.
  • issa marie tseng
    issa marie tseng almost 13 years
    Okay, now I wish I could give you even more points, since blog.dscpl.com.au/2009/04/… just covered the next problem I ran into via Google. (I didn't develop this Python app [I'm a Rubyist], and the person who did hasn't done web programming before...). So thanks again.
  • Graham Dumpleton
    Graham Dumpleton almost 13 years
    For reference, to check whether daemon mode used or not, see code.google.com/p/modwsgi/wiki/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Python/Django/WSGI/Apache - "ImportError: No module named site"
Internal Server Error Apache and WSGI (With Flask)
Apache mod_wsgi error
Target WSGI script not found or unable to stat
Apache/httpd error: Invalid command 'WSGIPythonHome'
Error: "module wsgi_module is already loaded, skipping"
Python: ImportError: No module named os
How do I find the Python executable that my server is using?
How to make apache to run python scripts using MOD_WSGI or MOD_PYTHON in RHEL6?
Apache2 mod_wsgi python 2.6 Django very slow