[Wed Oct 28 12:05:02 2009] [notice] Apache/2.2.13 (Unix) DAV/2
PHP/5.2.9 mod_python/3.3.1 Python/2.6 mod_ssl/2.2.13
OpenSSL/0.9.8k-fips mod_wsgi/2.6 mod_perl/2.0.4 Perl/v5.10.0
configured -- resuming normal operations
[Wed Oct 28 12:05:09 2009] [error] [client 10.0.2.15] (13)Permission
denied: mod_wsgi (pid=2722): Unable to connect to WSGI daemon process
'mygroup' on '/etc/httpd/run/wsgi.2692.0.1.sock' after multiple
attempts.
I have the WSGISocketPrefix set to run/wsgi.
The problem is that until F10 the httpd socket directory was /var/run/
and in F11 and F12 it is /var/run/httpd:
# ll /etc/httpd/run
lrwxrwxrwx. 1 root root 19 2009-10-28 11:04 /etc/httpd/run ->
../../var/run/httpd
# ll -d /var/run/httpd
drwx------. 2 root root 4096 2009-10-28 11:51 /var/run/httpd
# ll -d /var/run
drwxr-xr-x. 31 root root 4096 2009-10-28 11:35 /var/run
# ll /var/run/httpd/
total 4
-rw-r--r--. 1 root root 5 2009-10-28 12:05 httpd.pid
srwx------. 1 apache root 0 2009-10-28 12:05 wsgi.2692.0.1.sock
Any of these solve the problem:
# chmod o+x /var/run/httpd
# chown apache.root /var/run/httpd
Is there some way to fix it without the user intervention and without
the risk of the fix being reverted when the httpd package is updated
or reinstalled? Should I ask Fedora developers to change permissions
or ownership of /var/run/httpd?
Regards, Clodoaldo
Forgot to say that just changing WSGISocketPrefix to the absolute
path/prefix /var/run/wsgi fixes all the problems but it is against the
distribution's usage of paths relative the httpd config directory.
Clodoaldo
>
> Regards, Clodoaldo
>
The mod_wsgi module uses:
DEFAULT_REL_RUNTIMEDIR
from Apache configuration as the default location for these socket files.
This same location is also used by mod_cgid and I also imagine
possibly other third party modules such as fastcgi, scgi modules.
It is the only location known of in Apache sphere when writing modules
which can be used for temporary files, logs, sockets etc, without
stepping outside of Apache and forcing users to define a location of
their own.
Linux distributions ignore the Apache configuration layout and impose
their own. RedHat/Centos takes this a step further and doctors the
Apache source code to separate logs from other temporary stuff created
such as sockets. This is why had to have WSGISocketPrefix in the first
place. That is, because RedHat/Centos were trying to enforce stuff
which Apache module writers wouldn't expect. When they did that split
they made logs not readable to others. If they have now taken that a
step further and made the run directory not readable as well, then
they risk third party Apache modules breaking altogether.
So, there isn't a great deal I can do about it except to further document in:
http://code.google.com/p/modwsgi/wiki/ConfigurationIssues#Location_Of_UNIX_Sockets
that RedHat/Centos is further screwing things up and to say that:
WSGISocketPrefix /var/run/wsgi
must be used.
That it uses an absolute path isn't something I can do much about
unless you want to use:
WSGISocketPrefix run/../wsgi
on the assumption that safe to use parent directory of whatever 'run'
directory symlinked into 'httpd' directory is.
Although I could ask on Apache developers list about this, I know from
past that their opinion is that specific Linux distributions and users
of those distributions are own their own due to the Linux
distributions ignoring the ASF's own configuration layout and
doctoring original Apache code to do things differently to standard
distribution.
Graham
Also see:
https://bugzilla.redhat.com/process_bug.cgi
I have posted to that because if they make the directory owned by
apache user or at minimum make it writable to apache user, then they
have created a security hole in mod_wsgi which would allow execution
of arbitrary code as user that daemon mode process runs.
Although using /tmp for UNIX socket files also has a similar danger,
my understanding is that sane UNIX systems will not allow you to
rename a socket created by another user and so can't compromise
mod_wsgi in same way. If some UNIX systems do allow that and you use
/tmp, you are already putting yourself at risk. Thus why documentation
says not to use /tmp, albeit that see many people who ignore that
warning.
Graham
That will work for mod_wsgi and I suspect other modules. If a module
was wanting to get a listing of the directory and thus require 'r' and
not just 'x', then I would say that what the module is doing is a bit
dubious.
So, yes, using root:apache 0710 is probably a good middle ground. You
might like to comment on the bug report and add that.
> Now I'm sorry for the guy who suggested to make apache the owner of
> the directory or give it write permission because he tried hard to
> read, resume the threads and produce a patch and now he could be
> feeling trashed given your somewhat harsh, albeit necessary, post.
I could have put a smiley after the last line about the security advisory. :-)
Overall I didn't think I was trashing anyone, just providing
information that those people might not be aware of.
Graham