Re: Django runfcgi umask: what is it meant to do and why?
On Mon, Jul 15, 2013 at 3:02 PM, Juan Luis Boyawrote: > I've posted a patch for runfcgi here: > > https://code.djangoproject.com/ticket/20751 > > It includes documentation update and unit tests, for anyone interested, if > any. Juan Luis, This is all great work. Thank you very much for it. There are some new in the fastCGI front: https://groups.google.com/forum/?hl=en#!topic/django-developers/oGmD8LvLTPg I will make sure your work isn't wasted and ends in the FastCGI dapter code whatever that means (external community maintained project or project under Django umbrella) Regards, -- Ramiro Morales @ramiromorales -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
Re: Django runfcgi umask: what is it meant to do and why?
I've posted a patch for runfcgi here: https://code.djangoproject.com/ticket/20751 It includes documentation update and unit tests, for anyone interested, if any. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
Re: Django runfcgi umask: what is it meant to do and why?
Hi Juan, Thanks for your detailed examination and report. The best way to proceed is definitely to create a ticket in trac: https://code.djangoproject.com/newticket . Then, if you are willing and like to become a contributor, you can either add a patch or create a pull request on github. Thanks for your work! Wim On Sunday, 30 June 2013 18:13:59 UTC+2, gilberto dos santos alves wrote: > > yes. i agree. my tests in hostgator.com shared host show this. tests > in my ubuntu 12.04 amd64 shows same problem. using django 1.5 and > 1.6a, 16b. > > 2013/6/30 Juan Luis Boya: > > They talk about there was a os.umask(0) and they created that option in > > order to change it. > > > > But I would like to know then, why was that `os.umask(0)` there in the > first > > place? What was it purpose? > > > > On the other hand there is the confusion this option brings. Many people > > think the option is intended to set the socket umask. Just in that bug > > report there is a user saying "umask=0111 creates a socket with > umask...". > > Even Django documentation recommends you to use separate users for > increased > > security and tells you to set umask argument in order for them to > > communicate. > > > > These are wrong! Setting that umask does not only not work if runfcgi is > not > > daemonized, but also gives write permissions to all files created by > Django > > to any user in its group (often the web server), potentially breaking > > isolation with other applications (i.e. PHP scripts being run as the > server > > user). > > > > - Juan Luis > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Django developers" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to django-develop...@googlegroups.com . > > To post to this group, send email to > > django-d...@googlegroups.com. > > > Visit this group at http://groups.google.com/group/django-developers. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > > > -- > gilberto dos santos alves > +55.11.98646-5049 > sao paulo - sp - brasil > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
Re: Django runfcgi umask: what is it meant to do and why?
yes. i agree. my tests in hostgator.com shared host show this. tests in my ubuntu 12.04 amd64 shows same problem. using django 1.5 and 1.6a, 16b. 2013/6/30 Juan Luis Boya: > They talk about there was a os.umask(0) and they created that option in > order to change it. > > But I would like to know then, why was that `os.umask(0)` there in the first > place? What was it purpose? > > On the other hand there is the confusion this option brings. Many people > think the option is intended to set the socket umask. Just in that bug > report there is a user saying "umask=0111 creates a socket with umask...". > Even Django documentation recommends you to use separate users for increased > security and tells you to set umask argument in order for them to > communicate. > > These are wrong! Setting that umask does not only not work if runfcgi is not > daemonized, but also gives write permissions to all files created by Django > to any user in its group (often the web server), potentially breaking > isolation with other applications (i.e. PHP scripts being run as the server > user). > > - Juan Luis > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at http://groups.google.com/group/django-developers. > For more options, visit https://groups.google.com/groups/opt_out. > > -- gilberto dos santos alves +55.11.98646-5049 sao paulo - sp - brasil -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
Re: Django runfcgi umask: what is it meant to do and why?
They talk about there was a os.umask(0) and they created that option in order to change it. But I would like to know then, why was that `os.umask(0)` there in the first place? What was it purpose? On the other hand there is the confusion this option brings. Many people think the option is intended to set the socket umask. Just in that bug report there is a user saying "umask=0111 creates a socket with umask...". Even Django documentation recommends you to use separate users for increased security and tells you to set umask argument in order for them to communicate. These are wrong! Setting that umask does not only not work if runfcgi is not daemonized, but also gives write permissions to all files created by Django to any user in its group (often the web server), potentially breaking isolation with other applications (i.e. PHP scripts being run as the server user). - Juan Luis -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
Re: Django runfcgi umask: what is it meant to do and why?
git blame on the line that sets the umask shows it was as a result of ticket #6994: https://code.djangoproject.com/ticket/6994 Discussion in that ticket is probably the best information you are going to get on rationale. Karen -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
Django runfcgi umask: what is it meant to do and why?
Hello people. I was wondering what runfcgi's umask argument is meant to do. When I first met it I though it would set the permissions mask for my fcgi socket. runfgi's help told another thing instead: umask to use when daemonizing, in octal notation (default 022). And it is right. That's what it does. When daemonize=false, it will set the umask for Django child processes, effectively changing default permissions for newly created files, including the socket. When daemonize=true, it will do nothing. What sense makes that? Is there any case in where I would like my Django process umask to be different when I run it in the background than when I run it on the foreground? I can't think of any. Is there even any logical reason for the default umask for new files setting to be a runfcgi argument? On the other hand, I feel a flagrant miss: I need to set the permission mask just for my socket, not for other files. I want my web server being run as a different user and I want it to be able to write on the socket, but not to overwrite uploaded files, for example. I am not entirely alone. There are questions like this in StackOverflow [1], in this list [2], in the IRC logs [3] and I would bet there is many people suffering it in silence. >From my point of view, this is what runfcgi should tell in the help and do about umask: UNIX socket umask, in octal notation (default 022) And in fact, this is really easy to get. Just go to django/core/servers/fastcgi.py and change line 172 which looks like this: daemon_kwargs['umask'] = int(options['umask'], 8) To this: wsgi_opts['umask'] = int(options['umask'], 8) And done! Now it will have exactly the -- from my point of view -- sensible behaviour. The socket will be created with the specified umask and other files created from Django, like uploaded files, will remain with their default umask. It's so easy to fix and return it to sanity that I almost can't believe it's not a covert bug. I would like to read your thoughts on the matter. - Juan Luis [1] http://stackoverflow.com/a/15135644/1777162 [2] https://groups.google.com/forum/#!searchin/django-developers/umask/django-developers/XVlh-uF-ffE/tFYAQVLyK1QJ [3] http://django-irc-logs.com/search/?q=umask -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.