Re: [modwsgi] mod_wsgi and mod_ruid2
495 views
Skip to first unread message
Graham Dumpleton
Jul 20, 2012, 10:14:52 AM7/20/12
to mod...@googlegroups.com
There is no builtin support for mod_ruid2.
You may be able to get it working by modifying the mod_wsgi source code.
Look for:
/*
* Set the ownership of the UNIX listener socket. This would
* normally be the Apache user that the Apache server child
* processes run as, as they are the only processes that
* would connect to the sockets. In the case of ITK MPM,
* having them owned by Apache user is useless as at the
* time the request is to be proxied, the Apache server
* child process will have uid corresponding to the user
* whose request they are handling. For ITK, thus set the
* ownership to be the same as the daemon processes. This is
* still restrictive, in that can only connect to daemon
* process group running under same user, but most of the
* time that is what you would want anyway when using ITK
* MPM.
*/
if (!geteuid()) {
#if defined(MPM_ITK)
if (chown(process->socket, process->uid, -1) < 0) {
#else
if (chown(process->socket, ap_unixd_config.user_id, -1) < 0) {
#endif
ap_log_error(APLOG_MARK, WSGI_LOG_ALERT(errno), wsgi_server,
"mod_wsgi (pid=%d): Couldn't change owner of unix "
"domain socket '%s'.", getpid(),
process->socket);
return -1;
}
}
You want to the code for the MPM_ITK case to execute. For the ITK MPM
it is a compile time things, but not sure how could accommodate
mod_ruid2 in a similar way at compile time as you would not know if it
is going to be loaded or not.
There has been talk of a configuration directive to allow this to be
dynamically switched in configuration, but that was only seen as
needed where a distro had provided ITK MPM and didn't provide Apache
dev package with correct header files for ITK MPM so Apache modules
could be compiled against it correctly.
Anyway, try changing:
#if defined(MPM_ITK)
if (chown(process->socket, process->uid, -1) < 0) {
#else
if (chown(process->socket, ap_unixd_config.user_id, -1) < 0) {
#endif
to:
/ * #if defined(MPM_ITK) */
if (chown(process->socket, process->uid, -1) < 0) {
/* #else
if (chown(process->socket, ap_unixd_config.user_id, -1) < 0) {
#endif */
In other words, hard wiring it to create socket as UID the daemon
process runs as.
Graham
On 20 July 2012 06:55, slech <xum...@gmail.com> wrote:
> Hello Everyone.
> I have an issue to install moin wiki with mod_ruid.
> Moin wiki is python based app and I start it via Apache and mod_wsgi.
> All work fine without mod_ruid2. And also work fine if I manually change
> permission to the /var/run/wsgi/moin.32282.0.1.sock file
>>
>> chown www-moin:www-moin /var/run/wsgi/moin.32282.0.1.sock
>
> or
>>
>> chmod 777 /var/run/wsgi/moin.32282.0.1.sock
>
>
> After restart permission changed and it looks:
>>
>> srwx------ 1 www-data root 0 Jul 20 16:42 moin.32282.0.1.sock
>
>
> My Apache config related settings:
>>
>> RMode config
>> RUidGid www-moin www-moin
>> RGroups www-moin
>>
>> WSGIScriptAlias /web/production/moin/wm/moin.wsgi
>> WSGIDaemonProcess moin user=www-moin group=www-moin processes=5
>> threads=10 maximum-requests=1000 umask=0007
>> WSGIProcessGroup moin
>
>
> As I understand wsgi process start as Apache user (in my case www-moin) but
> maybe at first run(restart, reload) it starts as default Apache user ?
>
> My question is how I can change sock file default permissions ?
>
> Thanks.
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/modwsgi/-/PFHu0mXmDtMJ.
> To post to this group, send email to mod...@googlegroups.com.
> To unsubscribe from this group, send email to
> modwsgi+u...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/modwsgi?hl=en.
You may be able to get it working by modifying the mod_wsgi source code.
Look for:
/*
* Set the ownership of the UNIX listener socket. This would
* normally be the Apache user that the Apache server child
* processes run as, as they are the only processes that
* would connect to the sockets. In the case of ITK MPM,
* having them owned by Apache user is useless as at the
* time the request is to be proxied, the Apache server
* child process will have uid corresponding to the user
* whose request they are handling. For ITK, thus set the
* ownership to be the same as the daemon processes. This is
* still restrictive, in that can only connect to daemon
* process group running under same user, but most of the
* time that is what you would want anyway when using ITK
* MPM.
*/
if (!geteuid()) {
#if defined(MPM_ITK)
if (chown(process->socket, process->uid, -1) < 0) {
#else
if (chown(process->socket, ap_unixd_config.user_id, -1) < 0) {
#endif
ap_log_error(APLOG_MARK, WSGI_LOG_ALERT(errno), wsgi_server,
"mod_wsgi (pid=%d): Couldn't change owner of unix "
"domain socket '%s'.", getpid(),
process->socket);
return -1;
}
}
You want to the code for the MPM_ITK case to execute. For the ITK MPM
it is a compile time things, but not sure how could accommodate
mod_ruid2 in a similar way at compile time as you would not know if it
is going to be loaded or not.
There has been talk of a configuration directive to allow this to be
dynamically switched in configuration, but that was only seen as
needed where a distro had provided ITK MPM and didn't provide Apache
dev package with correct header files for ITK MPM so Apache modules
could be compiled against it correctly.
Anyway, try changing:
#if defined(MPM_ITK)
if (chown(process->socket, process->uid, -1) < 0) {
#else
if (chown(process->socket, ap_unixd_config.user_id, -1) < 0) {
#endif
to:
/ * #if defined(MPM_ITK) */
if (chown(process->socket, process->uid, -1) < 0) {
/* #else
if (chown(process->socket, ap_unixd_config.user_id, -1) < 0) {
#endif */
In other words, hard wiring it to create socket as UID the daemon
process runs as.
Graham
On 20 July 2012 06:55, slech <xum...@gmail.com> wrote:
> Hello Everyone.
> I have an issue to install moin wiki with mod_ruid.
> Moin wiki is python based app and I start it via Apache and mod_wsgi.
> All work fine without mod_ruid2. And also work fine if I manually change
> permission to the /var/run/wsgi/moin.32282.0.1.sock file
>>
>> chown www-moin:www-moin /var/run/wsgi/moin.32282.0.1.sock
>
> or
>>
>> chmod 777 /var/run/wsgi/moin.32282.0.1.sock
>
>
> After restart permission changed and it looks:
>>
>> srwx------ 1 www-data root 0 Jul 20 16:42 moin.32282.0.1.sock
>
>
> My Apache config related settings:
>>
>> RMode config
>> RUidGid www-moin www-moin
>> RGroups www-moin
>>
>> WSGIScriptAlias /web/production/moin/wm/moin.wsgi
>> WSGIDaemonProcess moin user=www-moin group=www-moin processes=5
>> threads=10 maximum-requests=1000 umask=0007
>> WSGIProcessGroup moin
>
>
> As I understand wsgi process start as Apache user (in my case www-moin) but
> maybe at first run(restart, reload) it starts as default Apache user ?
>
> My question is how I can change sock file default permissions ?
>
> Thanks.
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/modwsgi/-/PFHu0mXmDtMJ.
> To post to this group, send email to mod...@googlegroups.com.
> To unsubscribe from this group, send email to
> modwsgi+u...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/modwsgi?hl=en.
Graham Dumpleton
Jul 20, 2012, 1:51:00 PM7/20/12
to mod...@googlegroups.com
Use:
WSGIDaemonProcess moin user=www-moin group=www-moin home=/tmp
processes=5 threads=10 maximum-requests=1000 umask=0007
That is, add home=/tmp argument.
This will get rid of complaint about not being able to change home directory.
Graham
On 20 July 2012 10:20, slech <xum...@gmail.com> wrote:
> Thank you for reply!
>
> I tried:
>
> apt-get remove libapache2-mod-wsgi
> #
> /usr/local/src
> wget http://modwsgi.googlecode.com/files/mod_wsgi-3.3.tar.gz
> tar -zxvf mod_wsgi-3.3.tar.gz
> cd mod_wsgi-3.3
> vi mod_wsgi.c
>
> Change:
> #
> ./configure
> make
> #
> checkinstall --pkgname=mod_wsgi --pkgversion "3.3.release`date +%Y%m%d`"
> --backup=no --install=no --defaul
> #
> dpkg -i mod-wsgi_3.3.release20120720-1_amd64.deb
> #
> a2enmod wsgi
> service apache2 restart
>
> And I got the errors:
> * Starting web server apache2
> (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
> no listening sockets available, shutting down
> Unable to open logs
> Action 'start' failed.
> The Apache error log may have more information.
>
>
> [Fri Jul 20 17:03:29 2012] [alert] (2)No such file or directory: mod_wsgi
> (pid=393): Unable to change working directory to '/home/www-moin'.
> [Fri Jul 20 17:03:29 2012] [alert] (2)No such file or directory: mod_wsgi
> (pid=395): Unable to change working directory to '/home/www-moin'.
> [Fri Jul 20 17:03:29 2012] [alert] (2)No such file or directory: mod_wsgi
> (pid=396): Unable to change working directory to '/home/www-moin'.
>
> killall apache2
> service apache2 start
>
> And now
>
>> srwx------ 1 www-moin root 0 Jul 20 20:08 moin.13173.0.1.sock
>
>
> Now it works! Great!
>
> But I can see in Apache error log:
> [Fri Jul 20 20:15:21 2012] [alert] (2)No such file or directory: mod_wsgi
> (pid=13628): Unable to change working directory to '/home/www-moin'.
> [Fri Jul 20 20:15:21 2012] [alert] (2)No such file or directory: mod_wsgi
> (pid=13629): Unable to change working directory to '/home/www-moin'.
> [Fri Jul 20 20:15:21 2012] [alert] (2)No such file or directory: mod_wsgi
> (pid=13630): Unable to change working directory to '/home/www-moin'.
> [Fri Jul 20 20:15:21 2012] [notice] Apache/2.2.22 (Ubuntu) DAV/2 SVN/1.6.17
> PHP/5.3.10-1ubuntu3.2 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/1.0.1
> mod_wsgi/3.3 Python/2.7.3 configured -- resuming normal operations
> [Fri Jul 20 20:15:21 2012] [alert] (2)No such file or directory: mod_wsgi
> (pid=13631): Unable to change working directory to '/home/www-moin'.
> [Fri Jul 20 20:15:21 2012] [alert] (2)No such file or directory: mod_wsgi
> (pid=13632): Unable to change working directory to '/home/www-moin'.
>
> My user was created with:
>>
>> useradd --shell /bin/false --no-create-home www-moin
>
> Maybe is possible to fix this ?
> https://groups.google.com/d/msg/modwsgi/-/0an-R_sO9WAJ.
WSGIDaemonProcess moin user=www-moin group=www-moin home=/tmp
processes=5 threads=10 maximum-requests=1000 umask=0007
That is, add home=/tmp argument.
This will get rid of complaint about not being able to change home directory.
Graham
On 20 July 2012 10:20, slech <xum...@gmail.com> wrote:
> Thank you for reply!
>
> I tried:
>
> apt-get remove libapache2-mod-wsgi
> #
> /usr/local/src
> wget http://modwsgi.googlecode.com/files/mod_wsgi-3.3.tar.gz
> tar -zxvf mod_wsgi-3.3.tar.gz
> cd mod_wsgi-3.3
> vi mod_wsgi.c
>
> Change:
>
> #if defined(MPM_ITK)
> if (chown(process->socket, process->uid, -1) < 0) {
> #else
> if (chown(process->socket, ap_unixd_config.user_id, -1) < 0) {
> #endif
>
> to:
>
> / * #if defined(MPM_ITK) */
> if (chown(process->socket, process->uid, -1) < 0) {
> /* #else
> if (chown(process->socket, ap_unixd_config.user_id, -1) < 0) {
> #endif */
>
> apt-get install apache2-threaded-dev python-dev checkinstall
> #if defined(MPM_ITK)
> if (chown(process->socket, process->uid, -1) < 0) {
> #else
> if (chown(process->socket, ap_unixd_config.user_id, -1) < 0) {
> #endif
>
> to:
>
> / * #if defined(MPM_ITK) */
> if (chown(process->socket, process->uid, -1) < 0) {
> /* #else
> if (chown(process->socket, ap_unixd_config.user_id, -1) < 0) {
> #endif */
>
> #
> ./configure
> make
> #
> checkinstall --pkgname=mod_wsgi --pkgversion "3.3.release`date +%Y%m%d`"
> --backup=no --install=no --defaul
> #
> dpkg -i mod-wsgi_3.3.release20120720-1_amd64.deb
> #
> a2enmod wsgi
> service apache2 restart
>
> And I got the errors:
> * Starting web server apache2
> (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
> no listening sockets available, shutting down
> Unable to open logs
> Action 'start' failed.
> The Apache error log may have more information.
>
>
> [Fri Jul 20 17:03:29 2012] [alert] (2)No such file or directory: mod_wsgi
> (pid=393): Unable to change working directory to '/home/www-moin'.
> [Fri Jul 20 17:03:29 2012] [alert] (2)No such file or directory: mod_wsgi
> (pid=395): Unable to change working directory to '/home/www-moin'.
> [Fri Jul 20 17:03:29 2012] [alert] (2)No such file or directory: mod_wsgi
> (pid=396): Unable to change working directory to '/home/www-moin'.
>
> killall apache2
> service apache2 start
>
> And now
>
>> srwx------ 1 www-moin root 0 Jul 20 20:08 moin.13173.0.1.sock
>
>
> Now it works! Great!
>
> But I can see in Apache error log:
> [Fri Jul 20 20:15:21 2012] [alert] (2)No such file or directory: mod_wsgi
> (pid=13628): Unable to change working directory to '/home/www-moin'.
> [Fri Jul 20 20:15:21 2012] [alert] (2)No such file or directory: mod_wsgi
> (pid=13629): Unable to change working directory to '/home/www-moin'.
> [Fri Jul 20 20:15:21 2012] [alert] (2)No such file or directory: mod_wsgi
> (pid=13630): Unable to change working directory to '/home/www-moin'.
> [Fri Jul 20 20:15:21 2012] [notice] Apache/2.2.22 (Ubuntu) DAV/2 SVN/1.6.17
> PHP/5.3.10-1ubuntu3.2 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/1.0.1
> mod_wsgi/3.3 Python/2.7.3 configured -- resuming normal operations
> [Fri Jul 20 20:15:21 2012] [alert] (2)No such file or directory: mod_wsgi
> (pid=13631): Unable to change working directory to '/home/www-moin'.
> [Fri Jul 20 20:15:21 2012] [alert] (2)No such file or directory: mod_wsgi
> (pid=13632): Unable to change working directory to '/home/www-moin'.
>
> My user was created with:
>>
>> useradd --shell /bin/false --no-create-home www-moin
>
> Maybe is possible to fix this ?
Reply all
Reply to author
Forward
0 new messages