Opened 11 years ago

Closed 10 years ago

#703 closed defect (fixed)

Switch deployment docs over to recommend running MediaGoblin as www-data?

Reported by: Christopher Allan Webber Owned by:
Priority: major Milestone:
Component: documentation Keywords: bitesized
Cc: ben@… Parent Tickets:

Description

People trying to run MediaGoblin installs often run into issues with permissions. If we had MediaGoblin simply run as www-data in the docs, this could simplify things drastically.

There may be some security concerns but I can't think of any clear ones.

Attachments (1)

703_www-data.diff (1.2 KB ) - added by Ben Sturmfels 10 years ago.
Patch to explain the permissions required for Nginx to serve static and uploaded files.

Download all attachments as: .zip

Change History (11)

comment:1 by Christopher Allan Webber, 11 years ago

Keywords: bitesized added

This would be a good contribution for a newcomer who's interested in doing docs.

comment:2 by Ben Sturmfels, 11 years ago

I'm interested in making this change to the docs. Are these issues occurring for people running under Apache? Or is it also FastCGI people who are putting their deployment files somewhere they don't have permissions for?

Personally, I've deployed production MediaGoblin on FastCGI as a regular user in a directory that that user owns.

comment:3 by Ben Sturmfels, 11 years ago

Status: newaccepted

comment:4 by Ben Sturmfels, 11 years ago

Owner: set to Ben Sturmfels
Status: acceptedin_progress

comment:5 by Ben Sturmfels, 11 years ago

Cc: ben@… added

comment:6 by Daniel Krol, 10 years ago

In the mean time, I've switched my user_dev directory to be chgrp www-data and chmod g+x. As mediagoblin stands now, is that safe? It gives the server process access to workbench and queue. I don't know what they are.

Thanks

comment:7 by Ben Sturmfels, 10 years ago

Owner: Ben Sturmfels removed
Status: in_progressaccepted

I think this ticket is no longer valid since the deployment docs describe a setup where MediaGoblin runs as an unprivileged user behind Nginx. This ticket sounds like it refers to documentation about deploying on Apache, which may no longer exist.

ill_logic: it depends on how you are set up. If you're using Apache, that may well be the right approach. If not using Apache, take a look at the deployment docs: http://mediagoblin.readthedocs.org/en/v0.6.1/siteadmin/deploying.html.

comment:8 by Daniel Krol, 10 years ago

I was following the deployment docs. When I (as best I could) followed them, Nginx didn't see the media directories. It makes sense, right? The media files don't go through Mediagoblin, and Nginx doesn't run as the Mediagoblin user.

comment:9 by Ben Sturmfels, 10 years ago

Status: acceptedreview

I've added a patch to explain the permissions required for Nginx to serve static and uploaded files.

ill_logic: Your www-data user requires execute permission to static, public, theme_static and plugin_static plus all their parent directories. This user also requires read permission on all the files within these directories. You can safely either give the execute and read permissions to all users, or change the group ownership to www-data and give them to the group as you've done.

You don't need www-data user permissions on workbench and queue. Doing so probably isn't a security issue though, since the contents of these directories have difficult to guess names.

by Ben Sturmfels, 10 years ago

Attachment: 703_www-data.diff added

Patch to explain the permissions required for Nginx to serve static and uploaded files.

comment:10 by Christopher Allan Webber, 10 years ago

Resolution: fixed
Status: reviewclosed

Great patch, Sturm! I applied it. In the future, could you generate the patch in a way that is applyable by git am? [See here for details on how to do that.](https://wiki.mediagoblin.org/Git_workflow#attaching_the_patch_files_to_the_issue)

Closed, I think this greatly improves clarity in the docs, good enough to close this. Thank you Sturm!

Note: See TracTickets for help on using tickets.