I'm running my rails application with the help of passenger. And i see in top that it run's as www-data user, but when i try to run under this user this command:
rake ts:index
i get like access denied
when i'm under root (run under root rake ts:index) - all is ok...
what is better:
to make passenger running as root (how to do that)
or
what ever could i do?
how to do, that sphinx could reindex database?
part of code in method:
def self.reindexDB
`rake ts:index`
end
I'm not sure if what you're doing is good or not, because if you run that rake command in root user, I believe the output files (index files) will be owned by the root user, with wrong permissions those files won't be accessible by your own server (www-data),
I think the best way to handle this is to add your own user ( the one you use to ssh on the server ) to the www-data group
There's 2 ways to do that
Command line: like sudo usermod -a -G www-data [your-user]
Editing /etc/group:
Edit the /etc/group file and look for the line that starts with www-data then append your own user in it, it should look something like this at the end
www-data:x:33:[your-user]
save the file then you need to logout and log back in to find the changes,
I believe after this you'll be able to run the command by your own user and it will still have access to the www-data owned files.
Related
Rails 3.2.18
Ruby 2.15
I inherited a Rails application that I am trying to decipher. In environments/production.rb, I have:
config.logger = Logger.new(config.paths['log'].first, 100, 10485760)
config.log_tags = [ lambda {|r| DateTime.now } ]
which is going to create a log file in the log folder and when it reaches 10MB it ages it and keeps 100 in the folder.
When I look at the folder, I see that the owner of these files is root. How do I make sure the owner is the user and not root? For instance, if the application is deployed in /home/myapp, I want the owner to be the myapp user. The real side issue I'm having is that if I am logged in as the myapp user and try to precompile assets, it fails because the log file is owned by root.
Permissions are always a pain. You'll likely want to run something like this:
sudo chown -R myapp_user /home/myapp
or
sudo chown -R myapp_user:myapp_user /home/myapp
if you want the group to be set as well. This requires the user you are running as to have sudo permissions. If you don't have sudo permissions you'll have to login as root and execute the command above.
I'm thinking about writing a Rails application to manage servers like cPanel.
The hardest part is to select the best way to run commands that require root privileges, like adduser, or doing things that require another user's privileges, like changing nginx config files.
I know only two ways to achieve this:
I can write a standalone daemon that will be run as root and do all the work, receiving commands through IPC or something like this.
Run Rail's server as the root user, and do anything from it or execute commands/bash scripts from it.
Which of these ways are best? Does there exist another way to to this?
sudo -i
I tried doing things like sudo bundle exec rails console but it wouldn't quite run it as root so when I tried to create a directory from the console it let me know that I did not have the correct permissions.
However, using sudo -i it enters you into an "interactive console" as the sudo root user and then you can run bundle exec rails console as the sudo root user.
Hopes that helps others.
You need to do #2.
Start your application as root, and you will be able to do all operations as root.
Writing code to run as a daemon would work also, but it's harder to debug.
In either case you have to protect against hacking attempts via unauthorized access. One slip and your system would be compromised.
I'm using carrierwave in a rails app to upload files. It works fine on my development environment, but on my production VM (Ubuntu), I'm getting this error:
An Errno::EACCES occurred in users#update:
Permission denied - /home/yards/apps/yardsapp/releases/20130616143623/public/uploads/tmp/20130616-1438-14186-3184
/usr/local/lib/ruby/1.9.1/fileutils.rb:244:in `mkdir'
I'm pretty sure I understand what is going on, but I can't seem to figure out a fix. My capistrano deploy.rb is set up with the user as root. So when it creates the new release folder on a deploy, the access rights are for root (I think).
Then when I try to upload a file, I get that error because nginx is trying to execute a mkdir as www-data.
I could chown the folder after the deploy and it works...but then another deploy creates another new directory with owner set to root as default.
At least I think this is what is going on. Does anyone have any ideas on how I should be doing this?
Run your deployment as www-data. You might need to adjust the authorized_keys file for the www-data user as well to be able to connect.
To fastest way would be to copy over your authorized_keys file for whatever user you are using at the moment (assuming you are root):
mkdir $WWW_DATA_HOME/.ssh
cp ~/.ssh/authorized_keys $WWW_DATA_HOME/.ssh/authorized_keys
chown www-data:www-data $WWW_DATA_HOME/.ssh/authorized_keys
You might also need to change the shell for the www-data user to log in to it:
chsh -s /bin/bash www-data
Now you should be able to do
ssh www-data#your-host.tld
and log in.
What this came down to was an improper Capistrano configuration. I followed the capistrano docs correctly (and made a 'deployer' user, same thing as the www-data as suggested above) and I have capistrano working like a charm. Also upgraded to Capistrano 3.
The rails 3.0 app is on ubuntu server using apache/passenger. The user to deploy the app is admin, it is also the user running the app (did not choose the name, admin has no root privileges). I updated paperclip again today.
The paperclip plugin is used to upload images. It upload correctly the images but the folder it creates are using permission that no one can read : drwxr-x--- 4 admin admin
As you can see there is no right for "others" but it seems apache try to read the file with www-admin.
The umask for admin user is 022, why does paperclip creates folders with no permissions for others?
How can i change that?
EDIT : I checked, passenger and rails process are all owned by admin.
If you're deploying with capistrano add this:
task :chmod_entire_deploy_dir do
sudo "#{sudo} chmod 0775 -R #{deploy_to}"
end
after "deploy:setup", :chmod_entire_deploy_dir
I have to change the user & group some times too:
task :chown_entire_deploy_dir do
sudo "#{sudo} chown my_user:my_group -R #{deploy_to}"
end
after "deploy:setup", :chown_entire_deploy_dir
Otherwise you can just chmod the directory manually.
I was trying to run my application and check for some output on the production.log. However Ruby on Rails throws this error.
Apache log
Rails Error: Unable to access log file. Please ensure that /var/www/somefolder/someapp/log/production.log exists and is chmod 0666. The log level has been raised to WARN and the output directed to STDERR until the problem is fixed.
I have performed the necessary chmod 666 production.log to make it work but I realized that the file is under root access.
So my file permissions are
-rw-rw-rw- 1 root root 20845 2010-03-18 01:18 production.log
I'm not sure how to allow Ruby on Rails to access this file. I'm fairly new to managing a Linux production environment so I request you to excuse my ignorance.
I think you need to change the user and group of production.log to whatever user and group Rails (i.e. Passenger or Mongrel or whatever you are using) runs under.
Okay I just figured it out.
First need to update Apache.conf passenger configurations:
PassengerDefaultUser username
The assign ownership using chown:
chown -R username:username <folder>
I don't know if this is the right way but it worked for me.