mod_wsgi working directory and user

Question

I'm running flask on mod_wsgi. my flask app, which is on /var/www/app receives some file from user and saves it to /var/www/app/tmp directory. However even after all chmod and chown(thought it was a permission problem), I was unable to reach that tmp directory.

After some debugging I found out that the current working directory of the flask app is /. I can change working directory by os.chdir('/var/www/'), but I'd like to avoid that for security concerns.

here is my apache configuration:

<VirtualHost *:80>
    ServerName mysite.com
    ServerAlias site.com
    ServerAdmin admin@localhost

    WSGIDaemonProcess app user=www-data group=www-data processes=1
    WSGIScriptAlias / /var/www/app.wsgi

    Alias /static /var/www/app/static

    <Directory /var/www/app>
        WSGIProcessGroup app
        WSGIApplicationGroup %{GLOBAL}
        WSGIScriptReloading On
        Order deny,allow
        Allow from all
    </Directory>

    <Location "/static">
        SetHandler None
    </Location>

</VirtualHost>

How can I change working directory of my app from / to /var/www ?

Answer 1

The documentation for WSGIDaemonProcess says you can use the home=... stanza:

home=directory

Defines an absolute path of a directory which should be used as the initial current working directory of the daemon processes within the process group. If this option is not defined, in mod_wsgi 1.X the current working directory of the Apache parent process will be inherited by the daemon processes within the process group. Normally the current working directory of the Apache parent process would be the root directory. In mod_wsgi 2.0+ the initial current working directory will be set to be the home directory of the user that the daemon process runs as.

I'm curious, though -- why would using os.chdir be any more of a security risk in your opinion?