Bug#872816: radicale wsgi example not usable
Quoting Borden (2022-10-22 16:16:12) > 22 Oct 2022, 03:23 by jo...@jones.dk: > > I doubt I am able to contribute much to this bugreport. If/when you > > guys figure out something you'd like to get added to the radicale > > package (and it isn't too involving or exotic) then tell me and I will > > sure consider adopting it into the package. Other than that, I will > > leave you to it... > > > Fair, I understand that this is an off-documented use of Radicale. And I > suspect there are some upstream bugs beyond your scope, as the WSGI configs > aren't working as advertised. > > A couple of questions which I think you can answer and will help me: > 1. "secure" permissions for the Radicale store are 660, uid=radicale ; > gid=radicale, correct? Can they be more restrictive or should they be more > permissive? Should 600 work in the "recommended" setup? 600 could work - not convinced that it should, however: I see no security risk in allowing write access to a group which has only one user - except if the sysadmin lets anyone else into that group. > 2. /etc/default/radicale only gets read when radicale runs in standalone, > correct? Correct. > 3. The wiki.debian.org/Radicale needs to be overhauled since it doesn't > recommend best practices, yes? Probably - it is a _wiki_ page that I don't care about ;-) - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#872816: radicale wsgi example not usable
22 Oct 2022, 03:23 by jo...@jones.dk: > I doubt I am able to contribute much to this bugreport. If/when you > guys figure out something you'd like to get added to the radicale > package (and it isn't too involving or exotic) then tell me and I will > sure consider adopting it into the package. Other than that, I will > leave you to it... > Fair, I understand that this is an off-documented use of Radicale. And I suspect there are some upstream bugs beyond your scope, as the WSGI configs aren't working as advertised. A couple of questions which I think you can answer and will help me: 1. "secure" permissions for the Radicale store are 660, uid=radicale ; gid=radicale, correct? Can they be more restrictive or should they be more permissive? Should 600 work in the "recommended" setup? 2. /etc/default/radicale only gets read when radicale runs in standalone, correct? 3. The wiki.debian.org/Radicale needs to be overhauled since it doesn't recommend best practices, yes?
Bug#872816: radicale wsgi example not usable
Hi Borden (and, if still around, Joerg), Quoting Borden (2022-10-21 23:50:48) > > I tried following these instructions and grafting this file at > > https://gist.github.com/return42/47ac8aabd19eaad0f10979761d0611a1 into my > > config. I have authentication set to pwauth, not a static file. Apache > > spawns a login window when I use the uWSGI configuration, but it throws a > > 500 error (due to PermissionError: [Errno 13] Permission denied: > > '/var/lib/radicale/collections') when I use only mod_wsgi. The setup documented as recommended in the radicale package uses uwsgi, and the main reason for that is that having an apache2 module execute python code directly means that code gets executed by apache2, not isolated from apache2. I doubt I am able to contribute much to this bugreport. If/when you guys figure out something you'd like to get added to the radicale package (and it isn't too involving or exotic) then tell me and I will sure consider adopting it into the package. Other than that, I will leave you to it... - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#872816: radicale wsgi example not usable
> I tried following these instructions and grafting this file at > https://gist.github.com/return42/47ac8aabd19eaad0f10979761d0611a1 into my > config. I have authentication set to pwauth, not a static file. Apache spawns > a login window when I use the uWSGI configuration, but it throws a 500 error > (due to PermissionError: [Errno 13] Permission denied: > '/var/lib/radicale/collections') when I use only mod_wsgi. So I know I'm making a nuisance out of myself. But I hope that, once I understand what's going on and how to fix it, I can improve the code and/or documentation to make Radicale more useful for future generations. My DAV folders are permissioned to uid=radicale & gid=radicale & perm=rwxrwx--- (770). It should be documented whether this is too restrictive or permissive, since this _is_ an Internet-facing service. The above config works with the 'recommended' uWSGI implementation. However, I can't figure out which mod_wsgi apache.conf settings will get Radicale to run with radicale:radicale permissions, so Linux quite appropriately refuses to let it access the DAV folders. One suggestion is to change the DAV folder permissions to www-data:www-data (https://wiki.debian.org/Radicale#Deliver_Radicale_through_Apache) which strikes me as unsafe (fixing wiki documentation is also on my to-do list). I also discovered the undocumented (!) /etc/default/radicale file, which sets the "--daemon" option. Does this have to be disabled for mod_wsgi?
Bug#872816: radicale wsgi example not usable
On Thu, 24 Aug 2017 09:22:24 +0200 Joerg Dorchain wrote: > It is not quite that easy, however let's try with some snippets. > > My working config of radicale with the supplied wsgi script > consists of the following config snippets: I tried following these instructions and grafting this file at https://gist.github.com/return42/47ac8aabd19eaad0f10979761d0611a1 into my config. I have authentication set to pwauth, not a static file. Apache spawns a login window when I use the uWSGI configuration, but it throws a 500 error (due to PermissionError: [Errno 13] Permission denied: '/var/lib/radicale/collections') when I use only mod_wsgi. What am I forgetting to do? It would be nice to choose between a uwsgi and a mod_wsgi config.
Bug#872816: radicale wsgi example not usable
Hi Gerog, Quoting Georg Faerber (2017-08-24 13:33:05) > On 17-08-24 00:27:56, Jonas Smedegaard wrote: > > I'd be happy to include sample config snippets for mod_wsgi (and > > nginx and uwsgi and other web servers) with the Debian radicale > > package. > > I'm running radicale via uwsgi and nginx, are you interested in the > configs, in another bug? Yes, please! :-) - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#872816: radicale wsgi example not usable
On Thu, Aug 24, 2017 at 09:22:24AM +0200, Joerg Dorchain wrote: > > > > I'd be happy to include sample config snippets for mod_wsgi (and nginx > > and uwsgi and other web servers) with the Debian radicale package. > > > > Can you provide me a file to place below /etc/apache2/sites-available/ > > then I can use that as basis. One more addendum: As refernced on https://github.com/Kozea/Radicale/issues/685, https://gist.github.com/return42/47ac8aabd19eaad0f10979761d0611a1 contains a more verbose example, also covering the config file path. Best regards, Joerg signature.asc Description: PGP signature
Bug#872816: radicale wsgi example not usable
Hi Jonas, On 17-08-24 00:27:56, Jonas Smedegaard wrote: > I'd be happy to include sample config snippets for mod_wsgi (and nginx > and uwsgi and other web servers) with the Debian radicale package. I'm running radicale via uwsgi and nginx, are you interested in the configs, in another bug? Cheers, Georg signature.asc Description: Digital signature
Bug#872816: radicale wsgi example not usable
On Thu, Aug 24, 2017 at 12:27:56AM +0200, Jonas Smedegaard wrote:
> > - I had an historic entry for the LANG setting there, causing
> > problems with the non-ascii char.
> >
> > - Also the offical way of pointing the wsgi version to its config
> > file is via environment variable, which again for me leads to
> > apache envvars.
> > This point is probably worth mentioning in a README{.debian}
>
> I prefer to leave WSGI documentation generally to external resources.
To me this is a radicale specific hint. The rest of the
documentation talks about config in /etc/radcale/config, but to
my big surprise the supplied wsgi script explicitly disables it.
>
> I'd be happy to include sample config snippets for mod_wsgi (and nginx
> and uwsgi and other web servers) with the Debian radicale package.
>
> Can you provide me a file to place below /etc/apache2/sites-available/
> then I can use that as basis.
It is not quite that easy, however let's try with some snippets.
My working config of radicale with the supplied wsgi script
consists of the following config snippets:
- in /etc/apache2/envvars
# Make sure mod_wsgi has utf-8 as default encodig. There are other
# ways to achive this, this sets it for all of apache (including e.g.
# php), which is fine for me.
export LANG=C.UTF-8
# Pointing the wsgi version of radicale to its config
# Upstream explicitly removes the normal path in the supplied wsgi
# script.
export RADICALE_CONFIG=/etc/radicale/config
- in the apache config file for the (virtual) host:
# You can choose a different user here, e.g. radicale
WSGIDaemonProcess radicale user=www-data group=www-data threads=9
inactivity-timeout=300 display-name=%{GROUP}
# If you have a decidate vhost use / here.
WSGIScriptAlias /caldav /usr/share/radicale/radicale.wsgi
WSGIProcessGroup radicale
WSGIApplicationGroup %{GLOBAL}
# When you have in /etc/radicale/config in section [auth]
# type=remote, leave this commented out
#WSGIPassAuthorization On
AllowOverride None
# Leave Authentication to Apache, which makes most sense with
# type=remote authentication in radicale
AuthType Basic
AuthName "radicale"
AuthBasicProvider file
AuthUserFile /etc/apache2/caldav-passwd
Require valid-user
Bye,
Joerg
signature.asc
Description: PGP signature
Bug#872816: radicale wsgi example not usable
Quoting Joerg Dorchain (2017-08-23 14:54:38)
> On Mon, Aug 21, 2017 at 07:15:11PM +0200, Joerg Dorchain wrote:
> > >
> > > Upstream WSGI file is shipped as-is. Would you mind bringing
> > > these issues upstream yourself?
> >
> > https://github.com/Kozea/Radicale/issues/685
>
> Upstream support pointed me to proper use of apache2 envvars:
>
> - I had an historic entry for the LANG setting there, causing
> problems with the non-ascii char.
>
> - Also the offical way of pointing the wsgi version to its config
> file is via environment variable, which again for me leads to
> apache envvars.
> This point is probably worth mentioning in a README{.debian}
I prefer to leave WSGI documentation generally to external resources.
I'd be happy to include sample config snippets for mod_wsgi (and nginx
and uwsgi and other web servers) with the Debian radicale package.
Can you provide me a file to place below /etc/apache2/sites-available/
then I can use that as basis.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
Bug#872816: radicale wsgi example not usable
On Mon, Aug 21, 2017 at 07:15:11PM +0200, Joerg Dorchain wrote:
> >
> > Upstream WSGI file is shipped as-is. Would you mind bringing these
> > issues upstream yourself?
>
> https://github.com/Kozea/Radicale/issues/685
Upstream support pointed me to proper use of apache2 envvars:
- I had an historic entry for the LANG setting there, causing
problems with the non-ascii char.
- Also the offical way of pointing the wsgi version to its config
file is via environment variable, which again for me leads to
apache envvars.
This point is probably worth mentioning in a README{.debian}
>
> > Ohh, such examination sometimes reveal interesting stuff. Please do
> > keep me (and upstream) posted about any findings of yours!
With pleasure!
Bye,
Joerg
signature.asc
Description: PGP signature
Bug#872816: radicale wsgi example not usable
On Mon, Aug 21, 2017 at 06:54:08PM +0200, Jonas Smedegaard wrote: > > it should use the default path, i.e. a line config_paths = > > ["/etc/radicale/config"]. > > It would be worth mentioned it in a README.debian, what ever it > > will be. > > Upstream WSGI file is shipped as-is. Would you mind bringing these > issues upstream yourself? https://github.com/Kozea/Radicale/issues/685 > Ohh, such examination sometimes reveal interesting stuff. Please do > keep me (and upstream) posted about any findings of yours! I filed another bug about a missing dependancy. Now I am reviewing my authorisation system, which used to be based on apache and some mod_rewrite magic, and try to see how far I get with methods available from within radicale. Bye, Joerg signature.asc Description: PGP signature
Bug#872816: radicale wsgi example not usable
Quoting Joerg Dorchain (2017-08-21 18:16:34) > On Mon, Aug 21, 2017 at 05:51:07PM +0200, Jonas Smedegaard wrote: > > Quoting Joerg Dorchain (2017-08-21 16:42:41) > > > when trying to use the supplied /usr/share/radicale/radicale.wsgi > > > file with libapache2-mod-wsgi 4.5.17-1, the following error is > > > displayed in the apache error log: > > > > > > SyntaxError: Non-ASCII character '\\xc2' in file > > > .../radicale.wsgi on line 4, but no encoding declared; see > > > http://python.org/dev/peps/pep-0263/ for details > > > > > > Externally a 500 internal error is shown. > > > > > > Inserting # coding: utf-8 as second line solves it for me. > > > > Thanks! > > Obviously to be completely correct it the libapache2-mod-wsgi-py3 > package. > > While at the file, it empties out the config path > (/etc/radicale/config) which might or might be be intented. IMHO > it should use the default path, i.e. a line config_paths = > ["/etc/radicale/config"]. > It would be worth mentioned it in a README.debian, what ever it > will be. Upstream WSGI file is shipped as-is. Would you mind bringing these issues upstream yourself? > > You might want to consider uwsgi: I believe with libapache2-mod-wsgi > > all data will be writable by the www-data user, which might be a > > problem if you host more than a single application on your server. > > Yes, libapache2-mod-wsgi runs as the apache user. For my small setup, > this is fine, but thanks for the hint! > > On a background, I started completely revamping a radicale setup > originating even before the debian package. Many things are > historically grown features. Ohh, such examination sometimes reveal interesting stuff. Please do keep me (and upstream) posted about any findings of yours! - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#872816: radicale wsgi example not usable
On Mon, Aug 21, 2017 at 05:51:07PM +0200, Jonas Smedegaard wrote: > Quoting Joerg Dorchain (2017-08-21 16:42:41) > > when trying to use the supplied /usr/share/radicale/radicale.wsgi file > > with libapache2-mod-wsgi 4.5.17-1, the following error is displayed in > > the apache error log: > > > > SyntaxError: Non-ASCII character '\\xc2' in file > > .../radicale.wsgi on line 4, but no encoding declared; see > > http://python.org/dev/peps/pep-0263/ for details > > > > Externally a 500 internal error is shown. > > > > Inserting # coding: utf-8 as second line solves it for me. > > Thanks! Obviously to be completely correct it the libapache2-mod-wsgi-py3 package. While at the file, it empties out the config path (/etc/radicale/config) which might or might be be intented. IMHO it should use the default path, i.e. a line config_paths = ["/etc/radicale/config"]. It would be worth mentioned it in a README.debian, what ever it will be. > > You might want to consider uwsgi: I believe with libapache2-mod-wsgi all > data will be writable by the www-data user, which might be a problem if > you host more than a single application on your server. Yes, libapache2-mod-wsgi runs as the apache user. For my small setup, this is fine, but thanks for the hint! On a background, I started completely revamping a radicale setup originating even before the debian package. Many things are historically grown features. Bye, Joerg signature.asc Description: PGP signature
Bug#872816: radicale wsgi example not usable
Quoting Joerg Dorchain (2017-08-21 16:42:41) > when trying to use the supplied /usr/share/radicale/radicale.wsgi file > with libapache2-mod-wsgi 4.5.17-1, the following error is displayed in > the apache error log: > > SyntaxError: Non-ASCII character '\\xc2' in file > .../radicale.wsgi on line 4, but no encoding declared; see > http://python.org/dev/peps/pep-0263/ for details > > Externally a 500 internal error is shown. > > Inserting # coding: utf-8 as second line solves it for me. Thanks! Apparently libapache2-mod-wsgi is more picky than uwsgi which I use myself - that's the reason I wasn't aware of this. You might want to consider uwsgi: I believe with libapache2-mod-wsgi all data will be writable by the www-data user, which might be a problem if you host more than a single application on your server. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#872816: radicale wsgi example not usable
Package: radicale Version: 2.1.4-1 Hello, when trying to use the supplied /usr/share/radicale/radicale.wsgi file with libapache2-mod-wsgi 4.5.17-1, the following error is displayed in the apache error log: SyntaxError: Non-ASCII character '\\xc2' in file .../radicale.wsgi on line 4, but no encoding declared; see http://python.org/dev/peps/pep-0263/ for details Externally a 500 internal error is shown. Inserting # coding: utf-8 as second line solves it for me. Bye, Joerg signature.asc Description: PGP signature
