Yup, you want that web user to do everything. If the delta indexes are still ending up as owned by root, I'm confused. The TS code doesn't invoke any users, it just makes the call to indexer.
-- Pat On 24/05/2009, at 7:58 AM, Elad Meidar wrote: > > run... and i also set the :admin_runner option to 'web'... > > The same user that runs 'searchd' in the first place, it's the same > user that should be running 'indexer' calls too? > > On May 23, 9:25 pm, Pat Allan <[email protected]> wrote: >> I guess what I was wondering is whether you were using the 'run' >> command or the 'sudo' command in your capistrano tasks - I know I've >> made the mistake of using the latter when 'run' would have been the >> better choice. >> >> -- >> Pat >> >> On 23/05/2009, at 5:59 PM, Elad Meidar wrote: >> >> >> >>> now SSH. i thought about testing the configuration and running >>> process >>> manually before deploying with it. >> >>> On May 23, 6:34 pm, Pat Allan <[email protected]> wrote: >>>> How are you running the rake task? Via capistrano? Or ssh'd into >>>> your >>>> production machine? >> >>>> -- >>>> Pat >> >>>> On 23/05/2009, at 3:23 PM, Elad Meidar wrote: >> >>>>> i'm running passenger on the default apache user www-data, i >>>>> didn't >>>>> change nothing from the default apache/passenger installations. >> >>>>> i tried a little test.... >> >>>>> i chown'ed the *detla* files to web:web, just like the *core* >>>>> files >>>>> and checked that it really happened. >>>>> then, i ran "rake RAILS_ENV=production ts:index --rotate" and >>>>> listed >>>>> the files again. >> >>>>> owner was again root. >> >>>>> On May 23, 4:37 pm, Pat Allan <[email protected]> wrote: >>>>>> Are your mongrels running as root? Or passenger? This is the >>>>>> process >>>>>> that will invoke delta indexing, and thus overwrite the existing >>>>>> files >>>>>> to new ones with root access only. >> >>>>>> -- >>>>>> Pat >> >>>>>> On 23/05/2009, at 1:34 PM, Elad Meidar wrote: >> >>>>>>> Well, i moved everything to web >>>>>>> (ts:stop, ts:index, :ts:start after clearing all the db/sphinx >>>>>>> folder) >> >>>>>>> but still all the delta files are created under the root >>>>>>> ownership, i >>>>>>> really don't know why.. i am sure that only the web user is >>>>>>> doing >>>>>>> any >>>>>>> kind of thinking_sphinx related actions. >>>>>>> when i manually chown the files to be under the "web" user, >>>>>>> deltas >>>>>>> appear on search and everything is awesome. >> >>>>>>> this is my crontab for the web user... any idea how or who is >>>>>>> changing >>>>>>> those files ownerships? >> >>>>>>> */2 * * * * cd /var/www/statussearch2/current/ && rake >>>>>>> RAILS_ENV=production ts:index --rotate >>>>>>> * */5 * * * cd /var/www/statussearch2/current/ && rake >>>>>>> RAILS_ENV=production ts:index >> >>>>>>> On May 23, 10:20 am, Elad Meidar <[email protected]> wrote: >>>>>>>> well, the rake tasks are run by the deploying user, which is >>>>>>>> 'web' >> >>>>>>>> but i think that there are some cron tasks (--rotate for >>>>>>>> example) >>>>>>>> that >>>>>>>> are run by 'root' >> >>>>>>>> i'll move everything to 'web' and i'll see where it's heading. >> >>>>>>>> Thnx. >> >>>>>>>> On May 23, 2:19 am, James Healy <[email protected]> wrote: >> >>>>>>>>> Pat Allan wrote: >>>>>>>>>> You need the web server and the rake tasks to be run by the >>>>>>>>>> same >>>>>>>>>> user >>>>>>>>>> - either both by root, or some other user of your choice. >>>>>>>>>> This >>>>>>>>>> should >>>>>>>>>> avoid any permissions issues. >> >>>>>>>>>> The *easiest* way is probably to run the rake tasks with >>>>>>>>>> sudo - >>>>>>>>>> not >>>>>>>>>> convinced that's the *best* way though. Others may know >>>>>>>>>> better :) >> >>>>>>>>> As a general rule you really don't want to run internet >>>>>>>>> accessible >>>>>>>>> daemons as root. >> >>>>>>>>> I personally use the Debian convention of www-data user and >>>>>>>>> group >>>>>>>>> for my >>>>>>>>> webserver, mongrels and cron triggered rake tasks. It doesn't >>>>>>>>> matter too >>>>>>>>> much which user you use, just pick or create one with reduced >>>>>>>>> privileges. You want to minimise the impact of a malicious >>>>>>>>> user >>>>>>>>> finding >>>>>>>>> an exploitable bug in the prcess. >> >>>>>>>>> -- James Healy <jimmy-at-deefa-dot-com> Sat, 23 May 2009 >>>>>>>>> 16:14:36 >>>>>>>>> +1000 > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Thinking Sphinx" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/thinking-sphinx?hl=en -~----------~----~----~----~------~----~------~--~---
