Python/django logging permissions error

Question

When running a command using the manage.py script, django gives me a permission denied error:

vagrant@vagrant:/opt/proj$ python3 manage.py migrate

Traceback (most recent call last):
  File "/usr/lib/python3.5/logging/config.py", line 558, in configure
    handler = self.configure_handler(handlers[name])
  File "/usr/lib/python3.5/logging/config.py", line 731, in configure_handler
    result = factory(**kwargs)
  File "/usr/lib/python3.5/logging/__init__.py", line 1008, in __init__
    StreamHandler.__init__(self, self._open())
  File "/usr/lib/python3.5/logging/__init__.py", line 1037, in _open
    return open(self.baseFilename, self.mode, encoding=self.encoding)
PermissionError: [Errno 13] Permission denied: '/var/log/django/debug.log'

But I am in the correct group (as far as I can see), and I can touch the logfile using the shell:

vagrant@vagrant:/var/log/django$ ls -la
total 20
drwxrwxr-x  2 nobody www-data  4096 Jul 20 13:06 .
drwxrwxr-x 12 root   syslog    4096 Jul 20 12:37 ..
-rwxrwxr-x  1 nobody www-data 11283 Jul 20 13:07 debug.log

vagrant@vagrant:/var/log/django$ groups
vagrant adm cdrom sudo dip www-data plugdev lxd lpadmin sambashare

vagrant@vagrant:/var/log/django$ touch debug.log

vagrant@vagrant:/var/log/django$

Can anyone help me understand what the issue is here ? I'm using the vagrant 'bento' ubuntu 16.04 image.

Edit: Just to be clear, it does work fine if I set the permissions to 777 on the log file. But I'd rather keep them as 775 (or less).

Answer 1

You don't say what image you're using, but if it comes with SELinux or AppArmor installed, the Mandatory Access Control options may be interfering.

If you are on a distro that uses SELinux, sudo setsenforce 0 and then try to run Django. If it works that will determine if it's an SELinux issue. From there, I suggest reading https://wiki.centos.org/HowTos/SELinux or whatever similar documentation exists for your distro to troubleshoot how to use audit2allow or SE booleans to sort out the security denials.

Edit: Having ruled out MAC issues, I bet it's a primary vs. secondary group issue. If you run the command sg www-data -c 'python3 manage.py migrate' and it works, that means that the process you're creating inherits vagrant's primary group, but not any of the secondaries. sg lets you start a process with any of your secondary groups.