I know this is REALLY old but this topic is crucial to production and gets VERY little attention.
So, it seems that the lock script has to run AFTER the web2py server has been started by www-data (as a daemon by UWSGI, for example). Or, can root start everything even in its locked state? I am sorry but this is another one of those sysadmin things that you may assume that everyone is qualified to perform and that web2py docs need not address. But, that is a very bad assumption. We know how to code but we don't know Linux sys admin. This must be documented: security WITHIN web2py, as addressed by the documentation, is COMPLETELY inadequate when a server directory is pretty much open to the world. So, this should be documented. I am afraid I am quite unqualified to contribute to such documentation. Thanks, Lewis On Wednesday, January 5, 2011 at 5:01:15 AM UTC-8, mdipierro wrote: > > If the web2py server runs as www-data thatn web2py/ should be owned by > www-data and it should have read write permissions. You can then lock > your apps running > > web2py/scripts/web2py-lock.sh > > On Jan 5, 6:50 am, Branko Vukelić <stu...@brankovukelic.com> wrote: > > If you want 644 perms on the directory, the owner should be the user > > that starts web2py. If webserver starts it, then the webserver user > > (nobody, http, www, etc) should own the directory (or have permissions > > to write to it anyway). If you start it manually, then the user you > > used to start web2py owns it. > > > > On Wed, Jan 5, 2011 at 1:07 PM, walter <wdv...@gmail.com> wrote: > > > I want to ask what folders should be accessible for writing? > > > Which folders should be set to permissions 644? > > > Who must to be owner all folders and files? > > > > -- > > Branko Vukelic > > > > stu...@brankovukelic.comhttp://www.brankovukelic.com/ -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
