1

I have following Apache configuration and my application is working fine:

<VirtualHost *:80>
    ServerName ig-test.example.com
    WSGIScriptAlias / /home/ig-test/src/repository/django.wsgi
    WSGIDaemonProcess ig-test user=ig-test
</VirtualHost>

But I want to protect my files from other users, so I do:

chown ig-test /home/ig-test/ -R
chmod og-rwx /home/ig-test/ -R

And application stops working:

(13)Permission denied: /home/ig-test/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

Is it possible to achieve what i'm doing with wsgi? If I have to give read permissions to some files it will be fine. But there are files I have to protect (like file with DB configuration or business logic of application).

Tomasz Wysocki
  • 111
  • 5

2 Answers2

0

From what I'm seeing right now in a site of mine: the directory structure up until your wsgi file needs to be accessible (+rx) to your webserver (or to everybody).

Reinout van Rees
  • 170
  • 6
0

It appears this is not possible, unless you are running Apache as a root (this is not good due to security risk).

Only real solution to this is to run separate wsgi server (like uwsgi) and use Apache or Nginx as proxy for this server. In this case you can run wsgi processes with custom uid and gid.

Tomasz Wysocki
  • 111
  • 5
  • What the other answer said was correct, 'the directory structure up until your wsgi file needs to be accessible (+rx) to your webserver'. That is the only restriction but through correct group permissions or ACLS it can be achieved. If you use daemon mode the WSGI code file itself and any code files used by the application need only be readable to the user the daemon process runs as, which can be a distinct user from the Apache user the server runs as. If you have the WSGI file in completely different directory to app code, even easier to achieve without funny group permissions. – Graham Dumpleton Jun 14 '12 at 07:27