On Thu, 20 Jan 2011 08:00:46 +0200, Graham Dumpleton
<[email protected]> wrote:
On 20 January 2011 16:40, Joonas Lehtolahti <[email protected]> wrote:
On Thu, 20 Jan 2011 04:47:14 +0200, Graham Dumpleton
<[email protected]> wrote:
That one feature is the ability to define a template for a daemon
process group with new daemon process groups setup according to that
template being able to be started dynamically without having to
restart Apache. That is, instead of having to change the static
configuration of Apache, could be as simple as just dropping a WSGI
script file in place and when a request occurs which gets routed to
that, a new daemon process group for that application is created
automatically, with it running with user/group corresponding to the
ownership of the WSGI script file.
This is practically the only thing I can remember of that I'd like to
see
from mod_wsgi. Then again, I would want this to be generic option in
Apache
itself applying to CGI scripts and whatnot running from user's home www
folders.
Don't follow you about the CGI scripts as you can already configure
Apache in ways that would automatically allow CGI scripts to work in
users home www directories without need to reconfigure when you add a
new account.
<Directory /home/*/public_html/cgi-bin>
Options ExecCGI
AddHandler cgi-script .cgi
</Directory>
Use this in combination with mod_userdir and then as soon as a you
create a new user account and add public_html directory under it, then
you can add cgi-bin directory with CGI scripts in it.
This is how I have it set up.
Note though that this relies on Apache user have ability to read into
users home directory.
Yes, and the point here was that it is still Apache user, so if the Apache
user has access to every user's public_html, then any CGI scripts executed
there also have access to every user's public_html and even the root
/var/www (or whatever the DocumentRoot is). So what I want is that CGI
scripts from user folders are also executed as another user account than
the generic Apache account, just like what you're planning for mod_wsgi,
the effective user/group for executing the wsgi script depends on that
file's owner information.
A better approach may be:
<Directory /usr/local/www/*/cgi-bin>
Options ExecCGI
AddHandler cgi-script .cgi
</Directory>
The mod_userdir configuration would then instead be set to:
UserDir /usr/local/www
instead of:
UserDir public_html
If you then make ~/public_html a symlink to /usr/local/www/<username>
and the directories under /usr/local/www would be owned by the
specific user and permissions such that Apache user can read them a
user isn't going to know it isn't under their own account.
This way on a system with restrictive home directory permissions you
don't need to add r-x to others.
Yeah, that's a good point. Still if the CGI script is being executed with
Apache user, it has access to anywhere the Apache user has access to,
including other users' /usr/local/www/<username>/ stuff.
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/modwsgi?hl=en.
