File permissions in railsapp for non-root mongrel


Short version: what files and dirs need to be owned by the user mongrel is running as, for my rails app to work?

I've set up a mongrel cluster to serve my rails app. At first, I loaded up the mongrels using launchd (it's running on a mac), and the example plist-file I found for /Library/LaunchDaemons didn't set UserName, so the mongrels ran as root. Everything worked fine, but I felt that they should run as _www or some other non-privileged user. At first, I couldn't start the cluster, but that was because _www couldn't write to tmp/pids/, so I chown:ed that dir. Now the cluster started up, but I couldn't modify the database (I could read it though). This was a test app still on sqlite3, so I figured I'd better chown the db/*sqlite3 files as well. That didn't fix the problem though (is sqlite3 creating some sort of lock file or something?). I realized _www needs to write to log/* also, and in order to fix the sqlite3-problem I resorted to chown -R the entire rails app.

It works fine now, but I feel like I defeated some of the purpose of running mongrel as a non-privileged user. It now has write privileges on stuff it should never modify. Ideally, I'd like to give _www privileges to only the files and dirs it needs to modify. Can someone here give me a few pointers?

log/ tmp/ db/*sqlite3 what else?

- Martin