Rails/Passenger/Nginx user permission errors - ruby-on-rails

My Rails app is having trouble writing into it's public/ directory. I've setup nginx with user root;, the capistrano recipe I'm using also is using root when connecting via ssh.
To fix this I made capistrano run chmod o+w -R #{current_path}/ but I don't think this is a good solution. What am I missing?

According to Phusion Passenger's documentation:
Under no circumstances will applications be run as root. If
environment.rb/config.ru is owned as root or by an unknown user, then
the Rails/Rack application will run as the user specified by
passenger_default_user and passenger_default_group.
http://modrails.com/documentation/Users%20guide%20Nginx.html#user_switching

Related

Phusion Passenger can't run as root - WARNING: potential privilege escalation vulnerability

Hi I'm trying to deploy my rails app to VPS via passenger and apache2 but im getting error
[ W 2018-02-14 21:02:37.0342 9640/T1 age/Cor/CoreMain.cpp:969 ]: WARNING: potential privilege escalation vulnerability. Phusion Passenger is running as root, and part(s) of the passenger root path (/home/deploy/.rvm/gems/ruby-2.4.1#spelld.it/gems/passenger-5.2.0) can be changed by non-root user(s):
The path "/home/deploy/.rvm/gems/ruby-2.4.1#spelld.it/gems/passenger-5.2.0" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
The path "/home/deploy/.rvm/gems/ruby-2.4.1#spelld.it/gems/passenger-5.2.0" is writeable by any user (or application). Limit write access on the path to only the root user/group.
The path "/home/deploy/.rvm/gems/ruby-2.4.1#spelld.it/gems" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
The path "/home/deploy/.rvm/gems/ruby-2.4.1#spelld.it" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
The path "/home/deploy/.rvm/gems" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
The path "/home/deploy/.rvm" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
The path "/home/deploy" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
I try to change privileges but it didnt work
with
sudo chmod 700 /home/deploy/.rvm/gems/ruby-2.4.1#spelld.it/gems/passenger-5.2.0
and
sudo chown root:root /home/deploy/.rvm/gems/ruby-2.4.1#spelld.it/gems/passenger-5.2.0
i even find issue with the same problem but i dont know how to fix it ... How can I avoid Phusion Passenger running as root?
Passenger author here. Another thing you can do is to install your RVM Ruby as well as Passenger with root, instead of as user "deploy". That way your Ruby installation and Passenger installation are owned by root and you won't see this warning.
Or even better: use our native Debian/Ubuntu/CentOS packages.
I also wanted to offer some insight. #Hongli's answer isn't all of it. #Taryn East is correct. Even if you chown every dir you also need to chmod every dir in order for Passenger to work correctly.
In your example you need to:
chmod 700 /home/deploy/.rvm
chmod 700 /home/deploy/.rvm/gems/
chmod 700 /home/deploy/.rvm/gems/ruby-2.4.1#spelld.it/
chmod 700 /home/deploy/.rvm/gems/ruby-2.4.1#spelld.it/gems/
chmod 700 /home/deploy/.rvm/gems/ruby-2.4.1#spelld.it/gems/passenger-5.2.0

Rails / Carrierwave / GIT / nginx / Capistrano - can't create a directory in git releases folder

I'm using carrierwave in a rails app to upload files. It works fine on my development environment, but on my production VM (Ubuntu), I'm getting this error:
An Errno::EACCES occurred in users#update:
Permission denied - /home/yards/apps/yardsapp/releases/20130616143623/public/uploads/tmp/20130616-1438-14186-3184
/usr/local/lib/ruby/1.9.1/fileutils.rb:244:in `mkdir'
I'm pretty sure I understand what is going on, but I can't seem to figure out a fix. My capistrano deploy.rb is set up with the user as root. So when it creates the new release folder on a deploy, the access rights are for root (I think).
Then when I try to upload a file, I get that error because nginx is trying to execute a mkdir as www-data.
I could chown the folder after the deploy and it works...but then another deploy creates another new directory with owner set to root as default.
At least I think this is what is going on. Does anyone have any ideas on how I should be doing this?
Run your deployment as www-data. You might need to adjust the authorized_keys file for the www-data user as well to be able to connect.
To fastest way would be to copy over your authorized_keys file for whatever user you are using at the moment (assuming you are root):
mkdir $WWW_DATA_HOME/.ssh
cp ~/.ssh/authorized_keys $WWW_DATA_HOME/.ssh/authorized_keys
chown www-data:www-data $WWW_DATA_HOME/.ssh/authorized_keys
You might also need to change the shell for the www-data user to log in to it:
chsh -s /bin/bash www-data
Now you should be able to do
ssh www-data#your-host.tld
and log in.
What this came down to was an improper Capistrano configuration. I followed the capistrano docs correctly (and made a 'deployer' user, same thing as the www-data as suggested above) and I have capistrano working like a charm. Also upgraded to Capistrano 3.

Ruby on Rails Setup: Unable to access log file

I'm setting up Ruby on Rails for the first time; on my server, I've created and loaded the default rails app. I can view the default page ("Welcome aboard! You are riding Rails"), but when I go to click on the link to "View Application Environment", it generates a 500 error.
(You can view it here.)
I'd like to know more about the error, but, the log file ("log/production.log") is empty. Looking at my Apache log I find:
Rails Error: Unable to access log file. Please ensure that
/var/www/rails/myapp/log/production.log exists and is chmod 0666. The
log level has been raised to WARN and the output directed to STDERR
until the problem is fixed.
So, I actually want to get my Ruby on Rails error logging working.
I know this problem has been posted a few times before, but I tried everything I could find, so here's what I have tried:
Created the "log/production.log" file, set the owner to www-data, set chmod 0666.
Set the owner of the "log" folder to www-data, set chmod 0666.
Double-checked my production environment settings such that config.log_level = :info is set.
Checked that Apache is using the www-data user ("etc/apache2/envvars"):
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
"etc/apache2/mods-available/passenger.conf" has a default user set for Passenger:
<IfModule mod_passenger.c>
PassengerRoot /usr
PassengerRuby /usr/bin/ruby
PassengerDefaultUser www-data
</IfModule>
The owner of "config.ru" and "configs/environment.rb" is www-data
My virtual host has been set accordingly:
DocumentRoot /var/www/rails/myapp/public
RackBaseURI /
RackEnv production
PassengerMaxPoolSize 4
Already read and attempted all the fixes suggested in these places:
Rails: Unable to access log file
Can't access log files in production
http://railsforum.com/viewtopic.php?id=36168
Why am I getting Permission denied error in deployment on files generated by capistrano?
http://bradhe.wordpress.com/2011/06/26/a-sneaky-rails-3-bug-in-logging/
(That's all I can remember trying right now...)
Some environment settings of mine:
Ubuntu 11.10 running on Amazon EC2
Apache 2.2.20
RVM 1.10.2
Ruby 1.9.3p0
Rails 3.1.3
This issue is resolved now, though the the cause of the problem itself isn't entirely clear.
I had some weird configuration issues with Apache & Passenger (a.k.a. ModRails). Two modules existed: one that appeared to come packaged with Apache(?) and one I obtained via passenger-install-apache2-module. When I pointed to the pre-installed one, I had this logging issue. When I pointed to the one deployed by passenger-install-apache2-module, I had a completely different issue where Passenger would crash with a segfault (see my post on ServerFault here.)
In the end, I completely wiped my server and performed a clean install of everything from the base Ubuntu AMI (running on Amazon EC2 made this easy enough.) Upon reinstalling, I ran passenger-install-apache2-module and configured Apache to load the module deployed by it. This time, the module didn't crash, but the log error appeared. I set chmod 755 on the root of my Rails application, made sure the production.log existed and that it had at least chmod 0666 privileges. And voila, problem gone.
TL;DR Did a fresh install, made sure I was using the latest Passenger module, and my file permissions were set properly.

Can't access log files in production

I was trying to run my application and check for some output on the production.log. However Ruby on Rails throws this error.
Apache log
Rails Error: Unable to access log file. Please ensure that /var/www/somefolder/someapp/log/production.log exists and is chmod 0666. The log level has been raised to WARN and the output directed to STDERR until the problem is fixed.
I have performed the necessary chmod 666 production.log to make it work but I realized that the file is under root access.
So my file permissions are
-rw-rw-rw- 1 root root 20845 2010-03-18 01:18 production.log
I'm not sure how to allow Ruby on Rails to access this file. I'm fairly new to managing a Linux production environment so I request you to excuse my ignorance.
I think you need to change the user and group of production.log to whatever user and group Rails (i.e. Passenger or Mongrel or whatever you are using) runs under.
Okay I just figured it out.
First need to update Apache.conf passenger configurations:
PassengerDefaultUser username
The assign ownership using chown:
chown -R username:username <folder>
I don't know if this is the right way but it worked for me.

Rails not loading CSS/javascript/images on ISP server

I have a Rails app that works fine on my local environment. But when I upload it to my ISP the app is not loading any of the assets in the public directory. Because the ISP uses .htaccess rewrites for Rails apps, I suspect this is the problem, but I'm pretty green on that sort of thing.
On the server, my rails app is deployed at ~/etc/rails_apps/myapp
In my home dir there's a symlink www -> etc/rails_apps/myapp/public
Isn't the idea that the symlink loads the assets from etc/rails_apps/myapp/public? Am I missing something else?
The server is Mongrel, if that matters.
The public/stylesheets and public/javascripts dirs both have 755 permissions, if that matters.
Please specify the Hosting environment that you are using whether its shared host like Bluehost or Hosmonster or Dedicated Hosting Service .
If you are hosting in a Shared hosting environment , Then your rails root directory should be in /home/user-name/rails_apps. Since the shared host provider doesn't allow you to change the permission of the /etc folder .
if your railsapps is in /home/user-name/rails_apps/yourapp then in the created symbolic link chmod 777 permission to the created symobilic folder which will be your domain name inside the public_html folder .
ln -s ~/rails/your-rails-app-name/public your-domain-name-without-extension
example : ln -s ~/rails/your-rails-app-name/public stackoverflow
$ chmod 777 /public_html/stackoverflow
Hope this helps !

Resources