I have read a few interesting articles and watched a few videos but I'm afraid I still have a few things I need help with understanding. I'm a very new dabbler to all this.
1) The example listed in the blog made sense and I tried to implement it but unfortunately my django project is in the home folder and the full wsgi path is /home/serverio/server.io_Tools/server.io/mysite/mysite/wsgi.py. And since www-date needs read and execute permission in order to the open the folders leading up to the last mysite directory, I tried creating a new group which has rwx permission on the static and media folders. This was ok for the static and media folder because I used django collectstatic to move those files into the /var/www folder, which is also has the group that www-data belongs as it's group. The blog did not speak much about situations like mine; where I have wsgi.py in my home folder as shown above. So I tried to make the group of the home folder the same group that www-data belongs(recursively) but the end result was that I could not open the folder from the ubuntu's (GUI) interface even though I also put my username into the same group that is used by www-data and I confirmed that I was also the owner of the directory when I did ls -l. So I abandoned this method and I put www-data in the same group that my userid(the username that was used to build the server) belongs and applied a chmod of 770 to the home folder recursively. With this change, apache was able to open my django app but I really think I may have created a security problem?
2) In the video link, Graham Dumpleton, advised to apply a chmod of 0+rx to the wsgi path which in my case is (/home/serverio/server.io_Tools/server.io/mysite/mysite/). I suspect that means that any web user will now be able to read the files on the computer because Gramham also said people should consider moving django project to a none home location. In this forum, I have seen people moving their project to /var/wwww and I have seen people comment that this is a risk. Gramham also spoke about moving wsgi file ONLY to a new location but I got lost during the explanation.
I suppose my questions are :
a) when a user is browsing a site, what permissions are they using; is it www-data or other (o)? and when we say o+rx are we giving these web users this permission through this command?. Is this enough permission for them to read the raw python code?
b) given my current situation, what's the simplest and effective way forward for me
Thanks forum.
Related
I am trying to deploy my Djago app on AWS Lightsail.
When I try to login/register, I am getting this error:
Attempt to write a readonly database
I have been googling solutions for quite some time and have tried setting different permissions, even giving away all permissions which might be huge security risk, however it still doesn't work.
Could anyone help me.
check that your file is owned by bitnami:bitnami. (I've been having the same exact issue and yours and i havent been able to fix it either)
So, in case someone else has this problem, what should work and what worked for me:
I moved db.sqlite3 file to one folder outside of main project dir.
Then I changed address to this file in settings.py to os.path.join(BASE_DIR, '..', 'db.sqlite3')
Though I feel like it's really a problem of user permissions, but that's above my current skill level.
I found another solution that worked for me.
See: https://github.com/mchesler613/django_adventures/blob/main/deploy_django_aws_bitnami.md
Author goes into detail about the details behind the error.
See "Error: Attempt to write a readonly database"
Change group ownership of the project root directory and the database file to daemon. For example:
$ sudo chgrp daemon project_directory project_directory/database_file
Make the project root directory and the database file writable by the daemon group. For example:
$ sudo chmod g+w project_directory project_directory/database_file
To see if the database error goes away, try reloading the Django app on the browser.
I had the same problem. Changing db.sqlite3 mode to writable doesn't work for me. I can use django shell to add data to db.sqlite3 but from apache2, it doesn't work.
Finally, I changed owner of the directory where db.sqlite3 locates to www-data:www-data, and it worked.
We are facing a very weird issue. We ship a django application in a docker container through Github Actions on each push. Everything is working fine except collectstatic.
We have the following lines at the end of our CD github action:
docker exec container_name python manage.py migrate --noinput
docker exec container_name python manage.py collectstatic --noinput
migrate works perfectly fine, but collectstatic just keeps on waiting if ran through the github action. If I run the command directly on the server then it works just fine and completes with in few minutes.
Can someone please help me figuring out what could be the issue?
Thanks in advance.
Now I am far from the most experienced but I did this recently and I have some suggestions of where to look. I'm definitely not the greatest authority though.
I wasn't using docker so I can't say anything about that. From the issues, I had here are some suggestions I can recommend to try.
Take note that all of this was for a self-hosted runner. Things would be very different otherwise.
Check to make sure STATIC_ROOT and MEDIA_ROOT variables are set correctly in the settings file.
If the STATIC and MEDIA root variables are environment variables make sure you are serving the correct environment variables file like a .env file which I used.
I used django-environ to serve my environment variables. From the docs, it says to have the .env file in the same directory as the settings file. Well if you are putting the project on a production server with github actions, you won't be able to put the .env file anywhere in the project because it will get overwritten every time new code is pushed.
So to fix that you need to specify the correct .env file from somewhere else on the server. Do that by specifying ENV_PATH.
https://django-environ.readthedocs.io/en/latest/
Under the section Multiple env files
Another resource that was helpful:
https://github.com/joke2k/django-environ/issues/143
I set up my settings file like how they did there.
I put my .env file in a proj directory I made in the virtualenvironment folder for the project.
I don't know if it's a good place to put it but that's how I did it. I didn't find much great info online for this stuff. Had to figure out a lot on my own.
Make sure the user which is running the github action has permissions to read the .env file.
Also like .env file, if you have the static files being collected into the base directory of your project you might have an issue with github actions overwriting those files every time new code is pushed. If you have a media directory where the user uploads files to then that will really be an issue because those files won't get overwritten. They'll just disappear.
Now if this was an issue it shouldn't cause github actions to just get stuck on the collect static command. It would just cause files to get overwritten every time the workflow runs and the media files will disappear.
If you do change the directory of where the static and media files are located as stated before, make sure all the variables for the paths are correct in the settings file and the .env file.
You will also need to update the nginx config file for the static and media root directories if you used nginx. Not sure about how apache does this.
You can do that with this command:
sudo nano /etc/nginx/sites-available/myproject
Don't forget to restart the nginx server after doing that.
If you are writing static and media files at a different location from the base project directory on the server, also check permissions on those directories. Make sure the user running the github action has permissions to write to those directories. I suspect that might cause it to hang but it very well might just cause an error.
Check all the syntax in the github actions yml file. Make sure everything is correct and it's not hanging cause it had an incomplete command or something like that.
But yeah, that's some things I had to take a look at. Honestly, none of this might be relevant for you. All of these issues should cause an error somewhere for the most part.
I couldn't really offer many external resources for you to look deeper into this because I'm just speaking from personal experience.
Hope I could help.
Heres my github repo for the project I did: https://github.com/pkudlanov/personal-portfolio-django
I hosted it on digitalocean on a linux server using nginx and gunicorn.
I deployed the server with Ubuntu 18, Django, Gunicorn, Nginx
And I ran into this problem:
everything works great but,
When I upload large pictures files in Django, Nginx gives 403 Error Forbidden.
I updated the permissions to the folder with static files on 755. It works!
But when I upload other files, the rights do not work.
I added the user root and user www-data to the folder owner’s group, but nothing has changed.
I understand that Nginx has no permissions, but how can I implement the inheritance permissions of new files from the parent folder
or will you suggest another solution?
You need to add FILE_UPLOAD_PERMISSIONS=0o644 variable to you settings.py file.
This is the numeric mode (i.e. 0o644) to newly uploaded files to.
For more information, please read this doc.
Try use this
chown -R www-data:www-data 'your project folder'
I have a django app containing a model with a file upload field. the upload field takes the targeted file and uploads a copy to either an existing directory in the media root or, if the directory hasn't been created, it creates the directory and drops the file inside of it.
The app works beautifully in dev, utilizing the built-in django server, but when I move it to a production server (my OSX machine running an apache2 instance with mod_wsgi) I get "[Error 13] Permission denied" thrown from the mkdir function in django's storage.py whenever I try to upload a file. I strongly suspect there is permission syntax that needs to be added to my apache httpd.conf. I don't know why else the django server has no trouble with the code but apache gags. Does anyone know?
Permissions issues are described in mod_wsgi documentation at:
http://code.google.com/p/modwsgi/wiki/ApplicationIssues#Access_Rights_Of_Apache_User
I guess sometimes an error message is exactly what it says it is. In this case "[Error 13] Permission denied" was being thrown because apache didn't have write access to the directories the django app was attempting to upload to. I simply navigated to the the directories I set as file upload directories, and gave write permissions on them systemwide. This probably wasn't the most secure solution, but it was the most practical as, it works and I don't know how to explicitly set write permissions for apache2 without just opening the directory systemwide.
Also, I didn't post the question at serverfault because I didn't know whether it was a django config issue or an apache issue.
I'm using django with wsgi on apache2
I was trying to acess a css file in my site/static/css folder and since the permission was 644, the css file could not be accessed by apache2.
So I chmod 645 on the site/static/css folder and everything was fine. However, I am worried that granting execution rights to everyone to anything in the css folder could cause security problems. What is the correct way to tackle this problem, perhaps a way to grant certain permissions using the httpd.conf file?
Thanks!
You can use chown to cause the files to be owned by the same group as apache (www-data?) and then set the permission on the group instead everyone.