Opened 10 years ago
Closed 9 years ago
#703 closed defect (fixed)
Switch deployment docs over to recommend running MediaGoblin as www-data?
|Reported by:||Christopher Allan Webber||Owned by:|
People trying to run MediaGoblin installs often run into issues with permissions. If we had MediaGoblin simply run as www-data in the docs, this could simplify things drastically.
There may be some security concerns but I can't think of any clear ones.
Change History (11)
comment:1 by , 10 years ago
comment:2 by , 10 years ago
I'm interested in making this change to the docs. Are these issues occurring for people running under Apache? Or is it also FastCGI people who are putting their deployment files somewhere they don't have permissions for?
Personally, I've deployed production MediaGoblin on FastCGI as a regular user in a directory that that user owns.
comment:3 by , 10 years ago
|Status:||new → accepted|
comment:4 by , 10 years ago
|Status:||accepted → in_progress|
comment:5 by , 10 years ago
comment:6 by , 9 years ago
In the mean time, I've switched my user_dev directory to be
chgrp www-data and
chmod g+x. As mediagoblin stands now, is that safe? It gives the server process access to
queue. I don't know what they are.
comment:7 by , 9 years ago
|Status:||in_progress → accepted|
I think this ticket is no longer valid since the deployment docs describe a setup where MediaGoblin runs as an unprivileged user behind Nginx. This ticket sounds like it refers to documentation about deploying on Apache, which may no longer exist.
ill_logic: it depends on how you are set up. If you're using Apache, that may well be the right approach. If not using Apache, take a look at the deployment docs: http://mediagoblin.readthedocs.org/en/v0.6.1/siteadmin/deploying.html.
comment:8 by , 9 years ago
I was following the deployment docs. When I (as best I could) followed them, Nginx didn't see the media directories. It makes sense, right? The media files don't go through Mediagoblin, and Nginx doesn't run as the Mediagoblin user.
comment:9 by , 9 years ago
|Status:||accepted → review|
I've added a patch to explain the permissions required for Nginx to serve static and uploaded files.
www-data user requires execute permission to
plugin_static plus all their parent directories. This user also requires read permission on all the files within these directories. You can safely either give the execute and read permissions to all users, or change the group ownership to
www-data and give them to the group as you've done.
You don't need
www-data user permissions on
queue. Doing so probably isn't a security issue though, since the contents of these directories have difficult to guess names.
by , 9 years ago
Patch to explain the permissions required for Nginx to serve static and uploaded files.
comment:10 by , 9 years ago
|Status:||review → closed|
Great patch, Sturm! I applied it. In the future, could you generate the patch in a way that is applyable by git am? [See here for details on how to do that.](https://wiki.mediagoblin.org/Git_workflow#attaching_the_patch_files_to_the_issue)
Closed, I think this greatly improves clarity in the docs, good enough to close this. Thank you Sturm!
This would be a good contribution for a newcomer who's interested in doing docs.