RoR on CentOS 5, file permissions

Passenger runs as the user and group Apache runs as. That said you
should not need to add the executable bit to any Ruby file unless it's
a bin file, Ruby is not PHP (actually that always kinda annoyed me
about PHP a bit :/..) That said, even if Apache was added to the git
group that does not mean that Apache will run with the git group since
Apache sets it's user and group. Your best bet in that situation is to
set the group via configurations. I don't know how CentOS sets up
Apache so you'll have to grep that out.

On the permissions part, I would probably set it up as 640.

Passenger runs as the user and group Apache runs as.

I once got an error message which implied that the db dir should be accessible to the user nobody:nobody - and my apache is set to run as apache:apache. I haven’t tested this, though. As a temporary solution my db directory is now world-writable.

That said you

should not need to add the executable bit to any Ruby file unless it’s

a bin file, Ruby is not PHP (actually that always kinda annoyed me

about PHP a bit :/…)

I had the exec bit on only because of directory access. I was too lazy to adjust separately for files and directories.

That said, even if Apache was added to the git

group that does not mean that Apache will run with the git group since

Apache sets it’s user and group. Your best bet in that situation is to

set the group via configurations. I don’t know how CentOS sets up

Apache so you’ll have to grep that out.

On the permissions part, I would probably set it up as 640.

Let’s see… I switched the group assignments so that now git is a member of apache group (and not vice versa). Both apache and git seem to work ok.

Also I made this bash script which I run now and then. So far I am good with this. The permissions are not quite optimal, though. For example I don’t like world-writable directories.

this file should be at the project root

myproj=’.’

basic settings

chgrp -R apache $myproj;

chmod -R 774 $myproj;

project dir

chmod o+x $myproj;

subdirs and their contents

find $myproj/* -type d -exec chmod 2775 {} ;;

chmod -R 777 $myproj/db $myproj/tmp;

chmod 666 $myproj/log/*;

  • Jussi

Passenger runs as the user and group Apache runs as.

I once got an error message which implied that the db dir should be accessible to the user nobody:nobody - and my apache is set to run as apache:apache. I haven’t tested this, though. As a temporary solution my db directory is now world-writable.

You can configure which user your ruby code runs at. Whatever user that is clearly needs read access to your app (and possibly write access to tmp)

Fred

I found a way to do this - using the Process::UID module.
http://ruby-doc.org/core-2.0/Process/UID.html

Where should i put this in my project? And would it be harmful to use the “apache” user - same as Apache/Passenger? That would simplify setting the permissions in the project directory.

BTW, why cannot I post in this group with Thunderbird? Those emails just vanish and never get to the group. I can only post with browser, using groups.google.com. Is this normal?

  • Jussi

Is the email address you use with thunderbird the one you used to register with?

Colin

Yes.

  • Jussi

You can configure which user your ruby code runs at. Whatever user that is clearly needs read access to your app (and possibly write access to tmp)

I found a way to do this - using the Process::UID module.
http://ruby-doc.org/core-2.0/Process/UID.html

Where should i put this in my project? And would it be harmful to use the “apache” user - same as Apache/Passenger? That would simplify setting the permissions in the project directory.

You should just be able to set this in the virtual host configuration.

Fred

Now I found a way to do this. I could add

PassengerDefaultUser apache
# (or whichever user you like except root)

to the virtual host block of the apache conf. I just tested this, and it works.

But there is a more elegant way. All the necessary information is here:

http://www.modrails.com/documentation/Users%20guide%20Apache.html#user_switching

In essence, you just need to change the owner of config/environment.rb. This I did not test yet, though.

  • Jussi