Opened 9 years ago

Closed 7 years ago

#703 closed defect (fixed)

Switch deployment docs over to recommend running MediaGoblin as www-data?

Reported by: Christopher Allan Webber Owned by:
Priority: major Milestone:
Component: documentation Keywords: bitesized
Cc: ben@… Parent Tickets:

Description

People trying to run MediaGoblin installs often run into issues with permissions. If we had MediaGoblin simply run as www-data in the docs, this could simplify things drastically.

There may be some security concerns but I can't think of any clear ones.

Subtickets

Attachments (1)

703_www-data.diff (1.2 KB) - added by Ben Sturmfels 7 years ago.
Patch to explain the permissions required for Nginx to serve static and uploaded files.

Download all attachments as: .zip

Change History (11)

comment:1 Changed 9 years ago by Christopher Allan Webber

Keywords: bitesized added

This would be a good contribution for a newcomer who's interested in doing docs.

comment:2 Changed 8 years ago by Ben Sturmfels

I'm interested in making this change to the docs. Are these issues occurring for people running under Apache? Or is it also FastCGI people who are putting their deployment files somewhere they don't have permissions for?

Personally, I've deployed production MediaGoblin on FastCGI as a regular user in a directory that that user owns.

comment:3 Changed 8 years ago by Ben Sturmfels

Status: newaccepted

comment:4 Changed 8 years ago by Ben Sturmfels

Owner: set to Ben Sturmfels
Status: acceptedin_progress

comment:5 Changed 8 years ago by Ben Sturmfels

Cc: ben@… added

comment:6 Changed 8 years ago by Daniel Krol

In the mean time, I've switched my user_dev directory to be chgrp www-data and chmod g+x. As mediagoblin stands now, is that safe? It gives the server process access to workbench and queue. I don't know what they are.

Thanks

comment:7 Changed 8 years ago by Ben Sturmfels

Owner: Ben Sturmfels deleted
Status: in_progressaccepted

I think this ticket is no longer valid since the deployment docs describe a setup where MediaGoblin runs as an unprivileged user behind Nginx. This ticket sounds like it refers to documentation about deploying on Apache, which may no longer exist.

ill_logic: it depends on how you are set up. If you're using Apache, that may well be the right approach. If not using Apache, take a look at the deployment docs: http://mediagoblin.readthedocs.org/en/v0.6.1/siteadmin/deploying.html.

comment:8 Changed 8 years ago by Daniel Krol

I was following the deployment docs. When I (as best I could) followed them, Nginx didn't see the media directories. It makes sense, right? The media files don't go through Mediagoblin, and Nginx doesn't run as the Mediagoblin user.

comment:9 Changed 7 years ago by Ben Sturmfels

Status: acceptedreview

I've added a patch to explain the permissions required for Nginx to serve static and uploaded files.

ill_logic: Your www-data user requires execute permission to static, public, theme_static and plugin_static plus all their parent directories. This user also requires read permission on all the files within these directories. You can safely either give the execute and read permissions to all users, or change the group ownership to www-data and give them to the group as you've done.

You don't need www-data user permissions on workbench and queue. Doing so probably isn't a security issue though, since the contents of these directories have difficult to guess names.

Changed 7 years ago by Ben Sturmfels

Attachment: 703_www-data.diff added

Patch to explain the permissions required for Nginx to serve static and uploaded files.

comment:10 Changed 7 years ago by Christopher Allan Webber

Resolution: fixed
Status: reviewclosed

Great patch, Sturm! I applied it. In the future, could you generate the patch in a way that is applyable by git am? [See here for details on how to do that.](https://wiki.mediagoblin.org/Git_workflow#attaching_the_patch_files_to_the_issue)

Closed, I think this greatly improves clarity in the docs, good enough to close this. Thank you Sturm!

Note: See TracTickets for help on using tickets.