WSGIDaemonProcess: specifying a user
You are reading it wrong. Apache does start as 'root' and the parent Apache process stays as 'root', only the Apache server child process run as 'www-data'. The mod_wsgi daemon processes are forked from the parent 'root' process and so will still be able to change to that user.
What the comment is saying is that if you start Apache from a totally non privileged account, eg., as you out of an install of Apache in your home directory or elsewhere, then since it doesn't start as 'root' it can't change user id of daemon processes. Apache started from system init scripts though is always started as 'root' though and should be no issue.
Related videos on Youtube
issa marie tseng
i believe in the wholeness of things • i fight for the users • i make things • i play music http://github.com/issa-tseng
Updated on September 18, 2022Comments
-
issa marie tseng almost 2 years
I have a user account all set up for this Python webapp I'm deploying with mod_wsgi. It's super-unprivileged, and only gets to read from the appdir and write to a separate set of tempdirs which no one else gets to look at. I'm using the following configline:
WSGIDaemonProcess xlsxf_daemon user=xlsxf group=xlsxf
Simple enough. Unfortunately, we then have this from the docs about the
user
option:Note that this option is ignored if Apache wasn't started as the root user, in which case no matter what the settings, the daemon processes will be run as the user that Apache was started as.
Since I'm running this in a default Ubuntu install on Linode, Apache starts as the
www-data
user and the Python app I have confirmed is doomed to also run aswww-data
. Why the limitation above? I have plenty of ruby/passenger apps that daemonize as other users just fine.edit: okay, so Apache doesn't start as the
www-data
user, but I'm still seeing that the Python webapp runs aswww-data
in spite of the above config line. /editAlternatively, am I just being overly paranoid here? I have multiple different projects running on this server, and I'd like them all to run as separate users, "just in case", but feel free to tell me that I should just give in and move the permissions over to
www-data
.edit2: As requested, here's all the running apache processes:
root 18798 0.0 1.9 16156 9880 ? Ss Jul26 0:03 /usr/sbin/apache2 -k start www-data 19344 0.0 1.0 15208 5264 ? S Jul26 0:00 /usr/sbin/apache2 -k start xlsxf 19361 0.0 1.2 155244 6620 ? Sl Jul26 0:02 /usr/sbin/apache2 -k start www-data 19379 0.0 3.2 245436 16420 ? Sl Jul26 0:01 /usr/sbin/apache2 -k start www-data 19380 0.0 3.2 243536 16496 ? Sl Jul26 0:01 /usr/sbin/apache2 -k start
-
issa marie tseng almost 13 yearsI believe what you're saying, but what I'm seeing is that despite the above config line, the Python webprocess is still starting up as
www-data
. Any thoughts about why that may be? Thanks! -
Graham Dumpleton almost 13 yearsDo a 'ps auxwwww | grep httpd' and add the result to your question. Process may also be called 'apache2'. Don't remember what Ubuntu calls it.
-
issa marie tseng almost 13 yearsSo, there is an
apache2
process running under the xlsxf user, but this was actually what made it so difficult to figure out what was going on in the first place: despite the existence of that process, wherever the actual Python app is running, the user is stillwww-data
(reads/writes files as that user; returns that username when I do a getpass.getuser()). Perhaps something else is wrong with my config then? -
Graham Dumpleton almost 13 yearsThen you are missing WSGIProcessGroup in your configuration. Review the instructions at code.google.com/p/modwsgi/wiki/…
-
issa marie tseng almost 13 yearsBam. Thank you. I wish I could give you more points.
-
issa marie tseng almost 13 yearsOkay, now I wish I could give you even more points, since blog.dscpl.com.au/2009/04/… just covered the next problem I ran into via Google. (I didn't develop this Python app [I'm a Rubyist], and the person who did hasn't done web programming before...). So thanks again.
-
Graham Dumpleton almost 13 yearsFor reference, to check whether daemon mode used or not, see code.google.com/p/modwsgi/wiki/…