Just wondering if anyone else has experience with setting the write permissions for apache using mod_python w/ django.
On Dec 11, 6:01 pm, Graham Dumpleton <graham.dumple...@gmail.com> wrote: > On Dec 12, 9:07 am,garagefan<monkeygar...@gmail.com> wrote: > > > which would actually result in keeping my server more secure... i > > would assume leaving other with rwx would be paramount to keeping my > > front door wide open? > > The risk is more from users who have shell accounts on the same > system, or have web applications running as different user. Those > users would be able to modify stuff in that directory even though they > aren't owner. > > It doesn't change the risk in respect of other web application code > running under mod_python or PHP which also runs as Apache user. Such > code because runs as Apache user would be able to write to the > directory even if owned by Apache user and not o+rwx. > > > I'll look into mod_wsgi... but i can't imagine that every person > > running mod_python and working with file uploads hasn't had to combat > > this little issue. > > Based on posts one sees, a lot of people just make it o+rwx and leave > it at that. > > > is there really a safety concern? > > If you are fully in control of the system and no other users on it, it > is not good, but not disastrous. > > > or is there another way around this? > > Make the user owned by Apache user instead and don't have o+rwx. > > I am biased, but arguable that mod_wsgi is a better overall choice > these days than mod_python anyway and with mod_python fading away to a > degree, better long term choice. > > Graham > > > On Dec 11, 4:59 pm, Graham Dumpleton <graham.dumple...@gmail.com> > > wrote: > > > > On Dec 12, 8:52 am,garagefan<monkeygar...@gmail.com> wrote: > > > > > this is my first time working this closely to the server for a live > > > > environment :) > > > > > "apache" appears as owner of the file once uploaded. is there a way to > > > > set the default on this to be another user? > > > > Only by using Apache/mod_wsgi (not mod_python) and specifically using > > > mod_wsgi daemon mode, with a distinct user defined for the daemon > > > process and thus your Django application to run as. > > > > Graham > > > > > On Dec 11, 4:45 pm, Graham Dumpleton <graham.dumple...@gmail.com> > > > > wrote: > > > > > > On Dec 12, 8:32 am,garagefan<monkeygar...@gmail.com> wrote: > > > > > > > I figured out my issue with the "access denied, suspicious > > > > > > operation" > > > > > > bull... > > > > > > > apparently the only way the admin side of my site can upload an > > > > > > image > > > > > > to a directory is by having "other" set to have full rwx set... ie > > > > > > chmod **7 I'm not so sure this is a good thing to keep set as that > > > > > > would give everyone, logged in or other, access to overwriting data, > > > > > > adding stuff, etc... right? > > > > > > Who owns the files once uploaded? > > > > > > Whoever that is should be the owner of the directory. Sounds like you > > > > > are running under Apache and don't understand that your code runs as > > > > > the Apache user. > > > > > > Graham --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
