Hi Terry,
> > Can anyone suggest a way forward with this issue. My Flask code has
> > been working well while I've been testing it using the Flask
> > Development Server, so I decided to deploy it on nginx. To do this
> > I followed the Tutorial at:
> >
> > https://www.raspberrypi-spy.co.uk/2018/12/running-flask-under-nginx-raspberry-pi/
That's not a tutorial. It's a ‘paste this’. :-)
> > In Step 4 of this, the user is instructed to change the group owner
> > of the Flask App to www-data.
Not quite.
Create an example Flask app by first creating a folder called
“flasktest” :
mkdir flasktest
and setting its group owner to “www-data” :
sudo chown www-data /home/pi/flasktest
That's confused. It claims to be setting ‘its group owner’ but uses
chown(1) which changes the owner. chgrp(1) would change the group.
There is no such thing as a ‘group owner’ so what was intended and why?
> > My main programs are installed in the directory /home/ pi/ and the
> > Flask App is installed into the directory /home/pi/html so I
> > recursively changed everything in html (including html itself) to be
> > in the www-data group.
How? Knowing the command would help spot problems.
> > This caused all sorts of problems, including not being able to
> > import some of the modules used by the Flask App.
That suggests the permissions like read, write and execute, don't marry
with the user and group of the process which is making the accesses,
i.e. nginx and its offspring. The group, for example, can't just be
changed without considering those as they work in concert.
> > What do I need to do to get this to work?
Understand the aim: your web-server Python code will be running as user
and group www-data so the user, group, and permissions of what it needs
to access have to be compatible. Which does not necessarily mean
everything should be www-data:www-data rwxrwxrwx.
> I may have partially solved this. Since in the Tutorial the
> application directory is created before the App is download directly
> to it using wget, I assume that the contents of the directory will
> inherit the group ownership
That's an incorrect assumption. New directory entries only take on the
group of the directory rather than the program's effective group if the
‘set-gid’ bit of the directory is set.
$ mkdir d
$ ls -ld d
drwxr-xr-x 2 ralph ralph 4096 Feb 6 13:39 d
$ chmod g+s d
$ ls -ld d
drwxrwsr-x 2 ralph ralph 4096 Feb 6 13:39 d
$
> so I have used chown -hR to change both the owner and group name from
> pi. It appears to work.
>
> The question I now have, is that what is intended? Copying updates to
> the html directory becomes a bit problematic, because of permissions
> errors. I presume that I will have to use sudo to copy updated files
> there and chown to change the ownership from root to www-data.
>
> Or am I totally up the creek?
You seem to be piling wrong things up instead of scrapping it all and
working out what's required, if anything, different from user pi's
default permissions based on its umask.
Your Python source code needs to be readable to nginx and its children
so it can be opened and read to be interpreted by Python and run. What
other I/O to local disk does your program do? If you don't change
anything from the defaults, what doesn't work?
--
Cheers, Ralph.
--
Next meeting: Online, Jitsi, Tuesday, 2021-03-02 20:00
Check to whom you are replying
Meetings, mailing list, IRC, ... http://dorset.lug.org.uk
New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
