Running Ubuntu 10.04 on Linode, RVM, Rails 3, Apache with Passenger module, carrierwave and mini-magick
I get:
Rails Error: Unable to access log file. Please ensure that /srv/www/mysite.com/testapp/log/production.log exists and is chmod 0666. The log level has been raised to WARN and the output directed to STDERR until the problem is fixed.
and Errno::EACCES (Permission denied /srv/www/mysite.com/testapp/public/uploads/tmp/20110517-1707-2938-6455):
I ran chmod -R root:root /srv/www/mysite.com/testapp
Then: chmod -R www-data:www-data /srv/www/mysite.com/testapp
& chmod -R www-data:www-data /srv/www/mysite.com/testapp/public/uploads
Since the only 2 directories that should be writable is the log files and uploads directory I tried to secure the rest. Are there any other folders / files that I need to make writable?
Permissions on web sites is a little strange: on the one hand, the content needs to be readable by the webserver and FastCGI
or Passenger
or whatever executes the (in this case, Ruby) code. On the other hand, if the webserver user owns the files, then a hacked webserver or (more likely :) your code could modify the executable files and static files that are your website. It happens too often.
If the content of the website is owned by some other user, not writable by the web server software, then the website can not be overwritten by attackers. (Of course, you have a few open sockets to a database connection; all the database backed data can be corrupted by attackers. Also, any directory where you allow uploads could be corrupted by attackers. But the goal is to reduce the privileges of the software as far as reasonable.)
So, all that said, on to your specific question; your webserver software runs as www-data
, and it makes sense for your log files and upload directory to be owned by www-data
:
mkdir -p /srv/www/mysite.com/testapp/log/ # might not exist yet
chown -R pcasa:pcasa /srv/www/mysite.com/ # or some other user
chmod 755 /srv/www/mysite.com
chmod 755 /srv/www/mysite.com/testapp/
# populate the app directory with your files, if you haven't done so already
chown -R www-data:www-data /srv/www/mysite.com/testapp/log
chmod 755 /srv/www/mysite.com/testapp/log # see notes
chmod 644 /srv/www/mysite.com/testapp/log/* # see notes
I made the assumption that all users on your system can read the log. This might not be true. Use 700
in place of 755
and 600
in place of 644
if you don't want all system users to read the log files.
Next, for your uploads
directory:
mkdir -p /srv/www/mysite.com/testapp/public/uploads/tmp # might not exist yet
chown -R www-data:www-data /srv/www/mysite.com/testapp/public/uploads
chmod 755 /srv/www/mysite.com/testapp/public/uploads
chmod 755 /srv/www/mysite.com/testapp/public/uploads/tmp
Again, I've made the assumption that all users on your system can be able to see all the uploaded content. Use 700
in place of 755
if you just want the webserver software to be able to read the files.
These are simple guidelines that should work; you can get more complicated if you want to keep the website software and content shared only between the user that owns the website and the user that runs the website, by running the webserver with a supplementary group (see newgrp(1)
and group(5)
manpages for details) and giving the files the same group owner, and using the group permission bits (the middle octal number: 750
vs 700
). It's complicated enough that unless you've got a good reason, it's probably not worth going down this route. (Definitely worth doing once on a development machine somewhere, just so you're familiar enough with it that you can use it in the future. :)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With