Opened 11 years ago
Closed 10 years ago
#703 closed defect (fixed)
Switch deployment docs over to recommend running MediaGoblin as www-data?
Reported by: | Christopher Allan Webber | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | documentation | Keywords: | bitesized |
Cc: | ben@… | Parent Tickets: |
Description
People trying to run MediaGoblin installs often run into issues with permissions. If we had MediaGoblin simply run as www-data in the docs, this could simplify things drastically.
There may be some security concerns but I can't think of any clear ones.
Attachments (1)
Change History (11)
comment:1 by , 11 years ago
Keywords: | bitesized added |
---|
comment:2 by , 11 years ago
I'm interested in making this change to the docs. Are these issues occurring for people running under Apache? Or is it also FastCGI people who are putting their deployment files somewhere they don't have permissions for?
Personally, I've deployed production MediaGoblin on FastCGI as a regular user in a directory that that user owns.
comment:3 by , 11 years ago
Status: | new → accepted |
---|
comment:4 by , 11 years ago
Owner: | set to |
---|---|
Status: | accepted → in_progress |
comment:5 by , 11 years ago
Cc: | added |
---|
comment:6 by , 10 years ago
In the mean time, I've switched my user_dev directory to be chgrp www-data
and chmod g+x
. As mediagoblin stands now, is that safe? It gives the server process access to workbench
and queue
. I don't know what they are.
Thanks
comment:7 by , 10 years ago
Owner: | removed |
---|---|
Status: | in_progress → accepted |
I think this ticket is no longer valid since the deployment docs describe a setup where MediaGoblin runs as an unprivileged user behind Nginx. This ticket sounds like it refers to documentation about deploying on Apache, which may no longer exist.
ill_logic: it depends on how you are set up. If you're using Apache, that may well be the right approach. If not using Apache, take a look at the deployment docs: http://mediagoblin.readthedocs.org/en/v0.6.1/siteadmin/deploying.html.
comment:8 by , 10 years ago
I was following the deployment docs. When I (as best I could) followed them, Nginx didn't see the media directories. It makes sense, right? The media files don't go through Mediagoblin, and Nginx doesn't run as the Mediagoblin user.
comment:9 by , 10 years ago
Status: | accepted → review |
---|
I've added a patch to explain the permissions required for Nginx to serve static and uploaded files.
ill_logic: Your www-data
user requires execute permission to static
, public
, theme_static
and plugin_static
plus all their parent directories. This user also requires read permission on all the files within these directories. You can safely either give the execute and read permissions to all users, or change the group ownership to www-data
and give them to the group as you've done.
You don't need www-data
user permissions on workbench
and queue
. Doing so probably isn't a security issue though, since the contents of these directories have difficult to guess names.
by , 10 years ago
Attachment: | 703_www-data.diff added |
---|
Patch to explain the permissions required for Nginx to serve static and uploaded files.
comment:10 by , 10 years ago
Resolution: | → fixed |
---|---|
Status: | review → closed |
Great patch, Sturm! I applied it. In the future, could you generate the patch in a way that is applyable by git am? [See here for details on how to do that.](https://wiki.mediagoblin.org/Git_workflow#attaching_the_patch_files_to_the_issue)
Closed, I think this greatly improves clarity in the docs, good enough to close this. Thank you Sturm!
This would be a good contribution for a newcomer who's interested in doing docs.