Re: [modwsgi] Run different scripts as different users

[Scott D Anderson]

Thanks, Graham, that works perfectly. I really appreciate your help.

I'm now working on setting things up so that each student can deploy a
Flask application using WSGI. Wish me luck!

Scott


On Wed, Sep 21, 2016 at 11:27 PM, Graham Dumpleton <
graham.dumple...@gmail.com> wrote:

>
> On 22 Sep 2016, at 12:49 PM, Scott D Anderson <
> scott.ander...@wellesley.edu> wrote:
>
> I'm now able to successfully run my script as a user other than Apache,
> thanks to Graham's help. I now want to replicate the "suexec" aspect of CGI
> and allow different scripts to run as different users. (I don't necessarily
> need Apache to "su" to the script's owner; I'm willing to hard-code that.)
>
> I created an Apache .conf file to set up two scripts with different users.
> (The two scripts are identical; they just have different names):
>
> LogLevel info
>
> # My thanks to Graham Dumpleton for this addition
> WSGISocketPrefix /var/run/wsgi
>
> WSGIScriptAlias /scottapp /home/anderson/public_html/myapp-scott.wsgi
> WSGIDaemonProcess scottapp *user=anderson*
> WSGIProcessGroup scottapp
>
> WSGIScriptAlias /cs304app /home/anderson/public_html/myapp-cs304.wsgi
> WSGIDaemonProcess cs304app *user=cs304*
> WSGIProcessGroup cs304app
>
> Both urls are running as the "cs304" user; neither runs as "anderson". So,
> it seems the second value overwrote the first, and that there can be only
> one value for WSGIDaemonProcess.  Is that right?  I've read and re-read the
> docs on WSGIDaemonProcess and WSGIProcessGroup, and I can't be sure.
>
> Is there a way to get the behavior I want, where I can have each allowed
> user to run their script as their personal UID, instead of as Apache?
>
>
> Use:
>
> WSGIDaemonProcess scottapp user=anderson
> WSGIScriptAlias /scottapp /home/anderson/public_html/myapp-scott.wsgi
> process-group=scottapp
>
> WSGIDaemonProcess cs304app user=cs304
> WSGIScriptAlias /cs304app /home/anderson/public_html/myapp-cs304.wsgi
> process-group=cs304app
>
> If you set WSGIProcessGroup in same context, the last one will win. You
> would either need to qualify it with a Location/Directory directive, or
> just use those options on WSGIScriptAlias to force it to use that daemon
> process group. The WSGIDaemonProcess directive for a group must come before
> WSGIScriptAlias using it when doing that.
>
> Graham
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to modwsgi+unsubscr...@googlegroups.com.
> To post to this group, send email to modwsgi@googlegroups.com.
> Visit this group at https://groups.google.com/group/modwsgi.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Scott D. Anderson
Computer Science Department
Wellesley College
scott.ander...@acm.org
scott.ander...@wellesley.edu

-- 
You received this message because you are subscribed to the Google Groups 
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to modwsgi+unsubscr...@googlegroups.com.
To post to this group, send email to modwsgi@googlegroups.com.
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.

Re: [modwsgi] Run different scripts as different users

[Graham Dumpleton]

> On 22 Sep 2016, at 12:49 PM, Scott D Anderson  
> wrote:
> 
> I'm now able to successfully run my script as a user other than Apache, 
> thanks to Graham's help. I now want to replicate the "suexec" aspect of CGI 
> and allow different scripts to run as different users. (I don't necessarily 
> need Apache to "su" to the script's owner; I'm willing to hard-code that.)
> 
> I created an Apache .conf file to set up two scripts with different users. 
> (The two scripts are identical; they just have different names):
> 
> LogLevel info
> 
> # My thanks to Graham Dumpleton for this addition
> WSGISocketPrefix /var/run/wsgi
> 
> WSGIScriptAlias /scottapp /home/anderson/public_html/myapp-scott.wsgi
> WSGIDaemonProcess scottapp user=anderson
> WSGIProcessGroup scottapp
> 
> WSGIScriptAlias /cs304app /home/anderson/public_html/myapp-cs304.wsgi
> WSGIDaemonProcess cs304app user=cs304
> WSGIProcessGroup cs304app
> 
> Both urls are running as the "cs304" user; neither runs as "anderson". So, it 
> seems the second value overwrote the first, and that there can be only one 
> value for WSGIDaemonProcess.  Is that right?  I've read and re-read the docs 
> on WSGIDaemonProcess and WSGIProcessGroup, and I can't be sure.
> 
> Is there a way to get the behavior I want, where I can have each allowed user 
> to run their script as their personal UID, instead of as Apache?

Use:

WSGIDaemonProcess scottapp user=anderson
WSGIScriptAlias /scottapp /home/anderson/public_html/myapp-scott.wsgi 
process-group=scottapp

WSGIDaemonProcess cs304app user=cs304
WSGIScriptAlias /cs304app /home/anderson/public_html/myapp-cs304.wsgi 
process-group=cs304app

If you set WSGIProcessGroup in same context, the last one will win. You would 
either need to qualify it with a Location/Directory directive, or just use 
those options on WSGIScriptAlias to force it to use that daemon process group. 
The WSGIDaemonProcess directive for a group must come before WSGIScriptAlias 
using it when doing that.

Graham

-- 
You received this message because you are subscribed to the Google Groups 
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to modwsgi+unsubscr...@googlegroups.com.
To post to this group, send email to modwsgi@googlegroups.com.
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.