subject:"Re\: \[modwsgi\] Using WSGIDaemonProcess and WSGIProcessGroup to run scripts as another user"

Re: [modwsgi] Using WSGIDaemonProcess and WSGIProcessGroup to run scripts as another user

2016-09-21 Thread Scott D Anderson

You rule!  That was (of course) exactly it. I'm sorry that I didn't find
that in your excellent documentation.  Thank you so much!

Scott


On Wed, Sep 21, 2016 at 10:08 PM, Graham Dumpleton <
graham.dumple...@gmail.com> wrote:

> Have a look at:
>
> * http://modwsgi.readthedocs.io/en/develop/user-guides/
> configuration-issues.html#location-of-unix-sockets
>
> and see if that helps.
>
> Graham
>
> On 22 Sep 2016, at 7:24 AM, Scott D Anderson 
> wrote:
>
> I'm new to WSGI, but I have a lot of experience with CGI/Python using
> suexec on RHEL/CentOS 6.8, Apache 2.2.  In the past, I've use suexec so
> that each of my students can run their code as their own UID.  I'm hoping
> to replicate that behavior with WSGI.
>
> I followed the tutorial and directions by Graham Dumpleton here:
> http://modwsgi.readthedocs.io/en/develop/getting-started.html
>
> Things went wrong when I got to this page on the WSGI Daemon Process:
> http://modwsgi.readthedocs.io/en/develop/configuration-directives/
> WSGIDaemonProcess.html
>
> My Python script is Graham's example, no fancy framework code (though I'd
> like to have that someday).
>
> I put the following directives into a file (wsgi-test.conf) in
> /etc/httpd/conf.d/ and restarted Apache:
>
> # cat wsgi-test.conf
>
> LogLevel info
>
> WSGIScriptAlias /myapp /home/anderson/public_html/myapp.wsgi
>
>
> # This works, app runs as Apache.
>
> WSGIDaemonProcess myapp
>
>
> # This works, but still runs as Apache
>
> #WSGIDaemonProcess myapp user=anderson
>
>
> # adding this to either daemon process results in a error 503: Service
> Temporarily Unavailable
>
> WSGIProcessGroup myapp
>
>
> As the comments say, if I omit the ProcessGroup directive, the script runs
> correctly, but runs as Apache (uid=48), which is to be expected. Here's the
> relevant part of the documentation:
>
>
> To delegate a particular WSGI application to run in a named set of daemon
>> processes, the WSGIProcessGroup directive should be specified in
>> appropriate context for that application. If WSGIProcessGroup is not used,
>> the application will be run within the standard Apache child processes.
>>
>
> Okay, if I add in the WSGIProcessGroup directive, I get the 503 error. The
> logs say:
>
>
> [Wed Sep 21 17:11:24 2016] [error] [client 149.130.194.56] (13)Permission
> denied: mod_wsgi (pid=27897): Unable to connect to WSGI daemon process
> 'myapp' on '/etc/httpd/logs/wsgi.26136.4.1.sock' after multiple attempts.
>
>
> Here's the file it's complaining about:
>
>
> # ls -l /etc/httpd/logs/wsgi.26136.4.1.sock
>
> srwx--. 1 apache root 0 Sep 21 16:56 /etc/httpd/logs/wsgi.26136.4.
> 1.sock
>
>
> Note that Apache is started as root, which I believe is necessary for the
> switching of uid:
>
>
> # ps -ef | grep httpd
>
> root 26136 1  0 16:31 ?00:00:00 /usr/sbin/httpd
>
> apache   27889 26136  0 16:56 ?00:00:00 /usr/sbin/httpd
>
> apache   27890 26136  0 16:56 ?00:00:00 /usr/sbin/httpd
>
> apache   27891 26136  0 16:56 ?00:00:00 /usr/sbin/httpd
>
> ...
>
>
> I noticed in the documentation that examples of WSGIProcessGroup often
> specify a virtual host name, but I don't have to create a virtual host, do
> I?
>
>
> At this point, I'm out of ideas. I'd appreciate any help.
>
>
> Thanks,
>
>
> Scott D. Anderson
>
> scott.ander...@wellesley.edu
>
>
>
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to modwsgi+unsubscr...@googlegroups.com.
> To post to this group, send email to modwsgi@googlegroups.com.
> Visit this group at https://groups.google.com/group/modwsgi.
> For more options, visit https://groups.google.com/d/optout.
>
>
>


-- 
Scott D. Anderson
Computer Science Department
Wellesley College
scott.ander...@acm.org
scott.ander...@wellesley.edu

-- 
You received this message because you are subscribed to the Google Groups 
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to modwsgi+unsubscr...@googlegroups.com.
To post to this group, send email to modwsgi@googlegroups.com.
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.

Re: [modwsgi] Using WSGIDaemonProcess and WSGIProcessGroup to run scripts as another user

2016-09-21 Thread Graham Dumpleton

Have a look at:

* 
http://modwsgi.readthedocs.io/en/develop/user-guides/configuration-issues.html#location-of-unix-sockets
 


and see if that helps.

Graham

> On 22 Sep 2016, at 7:24 AM, Scott D Anderson  wrote:
> 
> I'm new to WSGI, but I have a lot of experience with CGI/Python using suexec 
> on RHEL/CentOS 6.8, Apache 2.2.  In the past, I've use suexec so that each of 
> my students can run their code as their own UID.  I'm hoping to replicate 
> that behavior with WSGI.
> 
> I followed the tutorial and directions by Graham Dumpleton here: 
> http://modwsgi.readthedocs.io/en/develop/getting-started.html 
> 
> Things went wrong when I got to this page on the WSGI Daemon Process: 
> http://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIDaemonProcess.html
> 
> My Python script is Graham's example, no fancy framework code (though I'd 
> like to have that someday). 
> 
> I put the following directives into a file (wsgi-test.conf) in 
> /etc/httpd/conf.d/ and restarted Apache:
> 
> # cat wsgi-test.conf
> 
> LogLevel info
> 
> WSGIScriptAlias /myapp /home/anderson/public_html/myapp.wsgi
> 
> 
> 
> # This works, app runs as Apache. 
> 
> WSGIDaemonProcess myapp
> 
> 
> 
> # This works, but still runs as Apache
> 
> #WSGIDaemonProcess myapp user=anderson
> 
> 
> 
> # adding this to either daemon process results in a error 503: Service 
> Temporarily Unavailable
> 
> WSGIProcessGroup myapp
> 
> 
> 
> As the comments say, if I omit the ProcessGroup directive, the script runs 
> correctly, but runs as Apache (uid=48), which is to be expected. Here's the 
> relevant part of the documentation:
> 
> 
> 
> To delegate a particular WSGI application to run in a named set of daemon 
> processes, the WSGIProcessGroup directive should be specified in appropriate 
> context for that application. If WSGIProcessGroup is not used, the 
> application will be run within the standard Apache child processes.
> 
> 
> Okay, if I add in the WSGIProcessGroup directive, I get the 503 error. The 
> logs say:
> 
> 
> 
> [Wed Sep 21 17:11:24 2016] [error] [client 149.130.194.56] (13)Permission 
> denied: mod_wsgi (pid=27897): Unable to connect to WSGI daemon process 
> 'myapp' on '/etc/httpd/logs/wsgi.26136.4.1.sock' after multiple attempts.
> 
> 
> 
> Here's the file it's complaining about:
> 
> 
> 
> # ls -l /etc/httpd/logs/wsgi.26136.4.1.sock 
> 
> 
> srwx--. 1 apache root 0 Sep 21 16:56 /etc/httpd/logs/wsgi.26136.4.1.sock
> 
> 
> 
> 
> Note that Apache is started as root, which I believe is necessary for the 
> switching of uid:
> 
> 
> 
> # ps -ef | grep httpd
> 
> root 26136 1  0 16:31 ?00:00:00 /usr/sbin/httpd
> 
> apache   27889 26136  0 16:56 ?00:00:00 /usr/sbin/httpd
> 
> apache   27890 26136  0 16:56 ?00:00:00 /usr/sbin/httpd
> 
> apache   27891 26136  0 16:56 ?00:00:00 /usr/sbin/httpd
> 
> ...
> 
> 
> 
> I noticed in the documentation that examples of WSGIProcessGroup often 
> specify a virtual host name, but I don't have to create a virtual host, do I?
> 
> 
> 
> At this point, I'm out of ideas. I'd appreciate any help.
> 
> 
> 
> Thanks,
> 
> 
> 
> Scott D. Anderson
> 
> scott.ander...@wellesley.edu
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "modwsgi" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to modwsgi+unsubscr...@googlegroups.com 
> .
> To post to this group, send email to modwsgi@googlegroups.com 
> .
> Visit this group at https://groups.google.com/group/modwsgi 
> .
> For more options, visit https://groups.google.com/d/optout 
> .

-- 
You received this message because you are subscribed to the Google Groups 
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to modwsgi+unsubscr...@googlegroups.com.
To post to this group, send email to modwsgi@googlegroups.com.
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.

Re: [modwsgi] Using WSGIDaemonProcess and WSGIProcessGroup to run scripts as another user

Re: [modwsgi] Using WSGIDaemonProcess and WSGIProcessGroup to run scripts as another user

2 matches

Site Navigation

Mail list logo

Footer information