Re: [Rails] RoR on CentOS 5, file permissions
54 views
Skip to first unread message
Jordon Bedwell
Mar 15, 2013, 9:33:39 AM3/15/13
to rubyonra...@googlegroups.com
On Fri, Mar 15, 2013 at 7:41 AM, Jussi Hirvi <jush...@gmail.com> wrote:
> I am learning RoR on CentOS 5. What would be the ideal way to set
> permissions in the app folder? The rails default did not work for me.
>
> I use git and apache/passenger. Everything works now that I
> - added apache to the group git (by modifying /etc/group)
> - did the following at tha app root
> chown -R root:git *
> chmod -R 775 *
>
> Howerer, this is probably too wide.
>
> It seems to me that somebody else is using the view templates besides
> apache, because 770 gives an error. Or else Passenger does not respect the
> fact that apache was added to the git group.
Passenger runs as the user and group Apache runs as. That said you
should not need to add the executable bit to any Ruby file unless it's
a bin file, Ruby is not PHP (actually that always kinda annoyed me
about PHP a bit :/..) That said, even if Apache was added to the git
group that does not mean that Apache will run with the git group since
Apache sets it's user and group. Your best bet in that situation is to
set the group via configurations. I don't know how CentOS sets up
Apache so you'll have to grep that out.
On the permissions part, I would probably set it up as 640.
> I am learning RoR on CentOS 5. What would be the ideal way to set
> permissions in the app folder? The rails default did not work for me.
>
> I use git and apache/passenger. Everything works now that I
> - added apache to the group git (by modifying /etc/group)
> - did the following at tha app root
> chown -R root:git *
> chmod -R 775 *
>
> Howerer, this is probably too wide.
>
> It seems to me that somebody else is using the view templates besides
> apache, because 770 gives an error. Or else Passenger does not respect the
> fact that apache was added to the git group.
Passenger runs as the user and group Apache runs as. That said you
should not need to add the executable bit to any Ruby file unless it's
a bin file, Ruby is not PHP (actually that always kinda annoyed me
about PHP a bit :/..) That said, even if Apache was added to the git
group that does not mean that Apache will run with the git group since
Apache sets it's user and group. Your best bet in that situation is to
set the group via configurations. I don't know how CentOS sets up
Apache so you'll have to grep that out.
On the permissions part, I would probably set it up as 640.
Jussi Hirvi
Mar 15, 2013, 3:42:45 PM3/15/13
to rubyonra...@googlegroups.com
On Friday, March 15, 2013 3:33:39 PM UTC+2, Jordon Bedwell wrote:
Passenger runs as the user and group Apache runs as.
I once got an error message which implied that the db dir should be accessible to the user nobody:nobody - and my apache is set to run as apache:apache. I haven't tested this, though. As a temporary solution my db directory is now world-writable.
That said you
should not need to add the executable bit to any Ruby file unless it's
a bin file, Ruby is not PHP (actually that always kinda annoyed me
about PHP a bit :/..)
I had the exec bit on only because of directory access. I was too lazy
to adjust separately for files and directories.
That said, even if Apache was added to the git
group that does not mean that Apache will run with the git group since
Apache sets it's user and group. Your best bet in that situation is to
set the group via configurations. I don't know how CentOS sets up
Apache so you'll have to grep that out.
On the permissions part, I would probably set it up as 640.
Also I made this bash script which I run now and then. So far I am
good with this. The permissions are not quite optimal, though. For example I don't like world-writable directories.
# this file should be at the project root
myproj='.'
# basic settings
chgrp -R apache $myproj;
chmod -R 774 $myproj;
# project dir
chmod o+x $myproj;
# subdirs and their contents
find $myproj/* -type d -exec chmod 2775 {} \;;
chmod -R 777 $myproj/db $myproj/tmp;
chmod 666 $myproj/log/*;
# this file should be at the project root
myproj='.'
# basic settings
chgrp -R apache $myproj;
chmod -R 774 $myproj;
# project dir
chmod o+x $myproj;
# subdirs and their contents
find $myproj/* -type d -exec chmod 2775 {} \;;
chmod -R 777 $myproj/db $myproj/tmp;
chmod 666 $myproj/log/*;
- Jussi
Frederick Cheung
Mar 15, 2013, 3:59:24 PM3/15/13
to rubyonra...@googlegroups.com
On Friday, March 15, 2013 7:42:45 PM UTC, Jussi Hirvi wrote:
On Friday, March 15, 2013 3:33:39 PM UTC+2, Jordon Bedwell wrote:Passenger runs as the user and group Apache runs as.I once got an error message which implied that the db dir should be accessible to the user nobody:nobody - and my apache is set to run as apache:apache. I haven't tested this, though. As a temporary solution my db directory is now world-writable.
You can configure which user your ruby code runs at. Whatever user that is clearly needs read access to your app (and possibly write access to tmp)
Fred
Jussi Hirvi
Mar 16, 2013, 1:53:14 PM3/16/13
to rubyonra...@googlegroups.com
On Friday, March 15, 2013 9:59:24 PM UTC+2, Frederick Cheung wrote:
I found a way to do this - using the Process::UID module. You can configure which user your ruby code runs at. Whatever user that is clearly needs read access to your app (and possibly write access to tmp)
Where should i put this in my project? And would it be harmful to use the "apache" user - same as Apache/Passenger? That would simplify setting the permissions in the project directory.
BTW, why cannot I post in this group with Thunderbird? Those emails just vanish and never get to the group. I can only post with browser, using groups.google.com. Is this normal?
- Jussi
Colin Law
Mar 16, 2013, 5:11:21 PM3/16/13
to rubyonra...@googlegroups.com
On 16 March 2013 17:53, Jussi Hirvi <jush...@gmail.com> wrote:
> ...
Colin
> ...
> BTW, why cannot I post in this group with Thunderbird? Those emails just
> vanish and never get to the group. I can only post with browser, using
> groups.google.com. Is this normal?
Is the email address you use with thunderbird the one you used to register with?
> vanish and never get to the group. I can only post with browser, using
> groups.google.com. Is this normal?
Colin
Jussi Hirvi
Mar 17, 2013, 1:04:45 PM3/17/13
to rubyonra...@googlegroups.com, cla...@googlemail.com
On Saturday, March 16, 2013 11:11:21 PM UTC+2, Colin Law wrote:
Is the email address you use with thunderbird the one you used to register with?
Yes.
- Jussi
Frederick Cheung
Mar 17, 2013, 2:47:23 PM3/17/13
to rubyonra...@googlegroups.com
On Saturday, March 16, 2013 5:53:14 PM UTC, Jussi Hirvi wrote:
On Friday, March 15, 2013 9:59:24 PM UTC+2, Frederick Cheung wrote:You can configure which user your ruby code runs at. Whatever user that is clearly needs read access to your app (and possibly write access to tmp)I found a way to do this - using the Process::UID module.Where should i put this in my project? And would it be harmful to use the "apache" user - same as Apache/Passenger? That would simplify setting the permissions in the project directory.
You should just be able to set this in the virtual host configuration.
Fred
Jussi Hirvi
Mar 20, 2013, 5:25:40 AM3/20/13
to rubyonra...@googlegroups.com
On Sunday, March 17, 2013 8:47:23 PM UTC+2, Frederick Cheung wrote:
You should just be able to set this in the virtual host configuration.
Now I found a way to do this. I could add
PassengerDefaultUser apache
# (or whichever user you like except root)
to the virtual host block of the apache conf. I just tested this, and it works.
But there is a more elegant way. All the necessary information is here:
In essence, you just need to change the owner of config/environment.rb. This I did not test yet, though.
- Jussi
Reply all
Reply to author
Forward
0 new messages