Re: Django runfcgi umask: what is it meant to do and why?

[gilberto dos santos alves]

yes. i agree. my tests in hostgator.com shared host show this. tests
in my ubuntu 12.04 amd64 shows same problem. using django 1.5 and
1.6a, 16b.

2013/6/30 Juan Luis Boya :
> They talk about there was a os.umask(0) and they created that option in
> order to change it.
>
> But I would like to know then, why was that `os.umask(0)` there in the first
> place? What was it purpose?
>
> On the other hand there is the confusion this option brings. Many people
> think the option is intended to set the socket umask. Just in that bug
> report there is a user saying "umask=0111 creates a socket with umask...".
> Even Django documentation recommends you to use separate users for increased
> security and tells you to set umask argument in order for them to
> communicate.
>
> These are wrong! Setting that umask does not only not work if runfcgi is not
> daemonized, but also gives write permissions to all files created by Django
> to any user in its group (often the web server), potentially breaking
> isolation with other applications (i.e. PHP scripts being run as the server
> user).
>
> - Juan Luis
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-developers.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>



-- 
gilberto dos santos alves
+55.11.98646-5049
sao paulo - sp - brasil

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
For more options, visit https://groups.google.com/groups/opt_out.

Re: Django runfcgi umask: what is it meant to do and why?

[Juan Luis Boya]

They talk about there was a os.umask(0) and they created that option in 
order to change it.

But I would like to know then, why was that `os.umask(0)` there in the 
first place? What was it purpose?

On the other hand there is the confusion this option brings. Many people 
think the option is intended to set the socket umask. Just in that bug 
report there is a user saying "umask=0111 creates a socket with umask...". 
Even Django documentation recommends you to use separate users for 
increased security and tells you to set umask argument in order for them to 
communicate.

These are wrong! Setting that umask does not only not work if runfcgi is 
not daemonized, but also gives write permissions to all files created by 
Django to any user in its group (often the web server), potentially 
breaking isolation with other applications (i.e. PHP scripts being run as 
the server user).

- Juan Luis

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
For more options, visit https://groups.google.com/groups/opt_out.