1

I'm using mod_itk as MPM for increased security in shared environment. I also have a Firefox Sync Server within one of the VHosts I host. That vhost is restricted to a certain user via AssignUserId user group.

The problem is that the socket /var/run/wsgi...whatever.sock is chmodded srwx------ and owned by Apache's wwwrun. While I configured the vhost with 

WSGIProcessGroup sync
WSGIDaemonProcess sync user=djechelon group=djechelon processes=1 threads=5

I still get the error that Apache wants to access a socket that is not accessible and because of this gets an error.

Is it possible to configure mod_wsgi in order to create different sockets with different owners for different applications or to chmod its socket in a different way (less secure)?

Currently, I'm running Firefox Sync as the only WSGI application. Moving it to a vhost that doesn't AssignUserId could solve this problem but will force me to change URL (and buy an additional SSL certificate), so I wouldn't consider this

usr-local-ΕΨΗΕΛΩΝ
  • 2,359
  • 7
  • 34
  • 52

1 Answers1

2

You need mod_wsgi 3.3 or later, and the mod_wsgi source must be compiled against a full Apache with developer header files corresponding to the ITK MPM. You cannot use a binary of mod_wsgi compiled against worker or prefork MPM as the ITK support you need is a compile time thing.

Unfortunately the Linux distros who provide ITK MPM variant of Apache as an option, don't seem to provide httpd-dev or apache2-dev package variants corresponding to that same ITK MPM. As a result, people usually end up having to build up their own Apache from source code with ITK MPM and proper header files with ITK version of mpm.h to get it to work.

Graham Dumpleton
  • 6,090
  • 2
  • 21
  • 19