I'm using ubuntu 13.04. I'm running uwsgi using sudo service uwsgi start
I've configured log file in django as /home/shwetanka/logs/mysite/mysite.log
But I'm getting this error -
ValueError: Unable to configure handler 'file': [Errno 13] Permission denied: '/home/shwetanka/logs/mysite/mysite.log'
How do I fix it? This should not happen when I run uwsgi as sudo.
You need to fix permissions with the chmod command, like this: chmod 775 /home/shwetanka/logs/mysite/mysite.log.
Take a look at the owner of the file with ls -l /home/shwetanka/logs/mysite/mysite.log and make it writable to uwsgi. If the file isn't owned by uwsgi, you'll have to use the chown command.
Take a look at the username under which your service is running with ps aux | grep 'uwsgi'.
If the security isn't so important to you at the moment, use chmod 777 /home/shwetanka/logs/mysite/mysite.log and that's it. But that's not the way how this is done.
The safest way to do this would be to check the owner and the group of the file and then change them if necessary and adjust the permissions accordingly.
Let's give an example.
If I have a file in /home/shwetanka/logs/mysite/mysite.log and the command ls -l /home/shwetanka/logs/mysite/mysite.log gives the following output:
-rw-rw-r-- 1 shwetanka shwetanka 1089 Aug 26 18:15 /home/shwetanka/logs/mysite/mysite.log
it means that the owner of the file is shwetanka and the group is also shwetanka. Now let's read the rwx bits. First group is related to the file owner, so rw- means that the file is readable and writable by the owner, readable and writeable by the group and readable by the others. You must make sure that the owner of the file is the service that's trying to write something to it or that the file belongs to group of the service or you'll get a permission denied error.
Now if I have a username uwsgi that's used by the USWGI service and want the above file to be writable by that service, I have to change the owner of the file, like this:
chown uwsgi /home/shwetanka/logs/mysite/mysite.log. Since the write bit for the owner (the first rwx group) is already set to 1, that file will now be writable by the UWSGI service. For any further questions, please leave a comment.
Alternatively you can set umask option for uwsgi (http://uwsgi-docs.readthedocs.org/en/latest/Options.html#umask).
I had the same situation, I was running uwsgi via www-data and I used buildout. So this fix in my case looked like this:
[uwsgi]
recipe = buildout.recipe.uwsgi
xml-socket = /tmp/uwsgi.sock
xml-master = True
xml-chmod-socket = 666
xml-umask = 0002
xml-workers = 3
xml-env = ...
xml-wsgi-file = ...
After this log file permissions became 664, so group members of www-data group can also write into it.
Related
I am trying to copy files to an AWS instance using SCP but am running into permission denied error as below,i tried to change the group name to "Users" as well which didnt work either?can anyone provide guidance on how to fix this?
drwx------+ 1 username NA+Group(513) 0 May 10 23:33 .ssh
-rwxr-xr-x 1 Administrators NA+Group(513) 1692 May 5 17:00 ngc.pem
-rwxr-xr-x 1 Administrators NA+Group(513) 1692 May 8 12:47 test.pem
-rwxr-xr-x 1 Administrators NA+Group(513) 1464 May 8 13:45 test.ppk
username#machine ~
$ scp -i test.pem index.html ec2-publicip.us-west-2.compute.amazonaws.com:~
Permission denied (publickey).
lost connection
username#machine ~
$ chown usernam1 test.pem
chown: changing ownership of 'test.pem': Permission denied
username#machine ~
$ chown :Users test.pem
chown: changing group of 'test.pem': Permission denied
Permission denied does not relate to the permissions of the .pem file in your computer, but to the permissions of the .pem file to the server it is trying to access. First - you need to specify the specific user you are trying to scp into. For example, if this is an Ubuntu server, the correct syntax for the command would be - scp -i test.pem index.html ubuntu#ec2-publicip.us-west-2.compute.amazonaws.com:., that will copy the file to the home folder of the ubuntu user.
I am using ansijet to automate the ansible playbook to be run on a button click. The playbook is to stop the running instances on AWS. If run, manually from command-line, the playbook runs well and do the tasks. But when run through the web interface of ansijet, following error is encountered
Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in "/tmp". Failed command was: mkdir -p $HOME/.ansible/tmp/ansible-tmp-1390414200.76-192986604554742 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1390414200.76-192986604554742 && echo $HOME/.ansible/tmp/ansible-tmp-1390414200.76-192986604554742, exited with result 1:
Following is the ansible.cfg configuration.
# some basic default values...
inventory = /etc/ansible/hosts
#library = /usr/share/my_modules/
remote_tmp = $HOME/.ansible/tmp/
pattern = *
forks = 5
poll_interval = 15
sudo_user = root
#ask_sudo_pass = True
#ask_pass = True
transport = smart
#remote_port = 22
module_lang = C
I try to change the remote_tmp path to /home/ubuntu/.ansible/tmp
But still getting the same error.
By default, the user Ansible connects to remote servers as will be the same name as the user ansible runs as. In the case of Ansijet, it will try to connect to remote servers with whatever user started Ansijet's node.js process. You can override this by specifying the remote_user in a playbook or globally in the ansible.cfg file.
Ansible will try to create the temp directory if it doesn't already exist, but will be unable to if that user does not have a home directory or if their home directory permissions do not allow them write access.
I actually changed the temp directory in my ansible.cfg file to point to a location in /tmp which works around these sorts of issues.
remote_tmp = /tmp/.ansible-${USER}/tmp
I faced the same problem a while ago and solved like this . The possible case is that either the remote server's /tmp directory did not have enough permission to write . Run the ls -ld /tmp command to make sure its output looks something like this
drwxrwxrwt 7 root root 20480 Feb 4 14:18 /tmp
I have root user as super user and /tmp has 1777 permission .
Also for me simply -
remote_tmp = /tmp worked well.
Another check would be to make sure $HOME is present from the shell which you are trying to run . Ansible runs commands via /bin/sh shell and not /bin/bash.Make sure that $HOME is present in sh shell .
In my case I needed to login to the server for the first time and change the default password.
Check the ansible user on the remote / client machine as this error occurs when the ansible user password expires on the remote / client machine.
==========
'WARNING: Your password has expired.\nPassword change required but no TTY available.\n')
<*.*.*.*> Failed to connect to the host via ssh: WARNING: Your password has expired.
Password change required but no TTY available.
Actual error :
host_name | UNREACHABLE! => {
"changed": false,
"msg": "Failed to create temporary directory.In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in \"/tmp\", for more error information use -vvv. Failed command was: ( umask 77 && mkdir -p \"` echo /tmp/ansible-$USER `\"&& mkdir /tmp/ansible-$USER/ansible-tmp-1655256382.78-15189-162690599720687 && echo ansible-tmp-1655256382.78-15189-162690599720687=\"` echo /tmp/ansible-$USER/ansible-tmp-1655256382.78-15189-162690599720687 `\" ), exited with result 1",
"unreachable": true
===========
This could happen mainly because on the Remote Server, there is no home directory present for the user.
The following steps resolved the issue for me -
Log into the remote server
switch to root
If the user is linux_user from which Host (in my case Ansible) is trying to connect , then run following commands
mkdir /home/linux_user
chown linux_user:linux_user /home/linux_user
Environment
Linux Mint 17.1
Python 2.7
pyserial 2.7
Arduino UNO rv3
Desired Behaviour
I'm trying to send three values from a Python application to Arduino.
It works when doing the following from terminal:
$ python
$ import serial
$ import struct
$ ser = serial.Serial('/dev/ttyACM0', 9600)
$ ser.write(struct.pack('>3B', 255, 0, 0))
Current Behaviour
It doesn't work when using the same code in a Python file ie:
import serial
import struct
ser = serial.Serial('/dev/ttyACM0', 9600)
ser.write(struct.pack('>3B', red_value, green_value, blue_value))
Error Message
$ sudo tail -100 /var/log/apache2/error.log
OSError: [Errno 13] Permission denied: '/dev/ttyACM0'
Troubleshooting
Permissions
Application file:
$ ls -l
-rwxr-xr-x 1 myname mygroupname 114146 Jan 9 19:16 my_application.py
ttyACM0:
ls -l /dev/ttyACM0
crw-rw---- 1 root dialout 166, 0 Jan 9 20:12 /dev/ttyACM0
Groups
Groups the owner is a member of:
$ groups
mygroupname adm dialout cdrom sudo dip plugdev lpadmin sambashare
Due to various suggestions on the internet I also added the owner to the tty group via System Settings > Users and Groups. This had no effect.
Serial Ports Available
$ dmesg | grep tty
[ 0.000000] console [tty0] enabled
[ 3390.614686] cdc_acm 3-2:1.0: ttyACM0: USB ACM device
Update
I can force it to work under the following conditions:
01. Permissions for world must be set to rw ie:
sudo chmod 666 /dev/ttyACM0
02. Arduino IDE serial monitor needs to be open.
However these conditions are not sustainable as:
Permissions are reset each time the USB is connected.
The Arduino IDE serial monitor shouldn't need to be open.
The following fleshes out some of the ideas in the first answer (I tried to add this content to that answer and accept it, but the edits were rejected). I'm not an expert in the area, so please just use this information to support your own research.
You can do one of the following:
01. Alter the permissions on /dev/ttyACM0 so that world has read and write priviliges (something you may not want to do) - although you may find they reset each time the device is plugged in eg:
sudo chmod 666 /dev/ttyACM0
02. Create a rule in /etc/udev/rules.d that will set the permissions of the device (a restart will be required):
# navigate to rules.d directory
cd /etc/udev/rules.d
#create a new rule file
sudo touch my-newrule.rules
# open the file
sudo vim my-newrule.rules
# add the following
KERNEL=="ttyACM0", MODE="0666"
This also sets permissions for world to read and write, which you may not want to do.
For more information about this approach, see these answers:
https://unix.stackexchange.com/a/48596/92486
https://stackoverflow.com/a/11848003/1063287
03. The third option, which is the option I implemented, adds the Apache user to the dialout group so that if the script is being run by Apache, then it can access the device.
a) Find the location of your Apache config file, then search for the User setting within that file:
# open file in editor
sudo vim /etc/apache2/apache2.conf
# search for User setting
/User
You may find something like:
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
b) Quit vim and search for APACHE_RUN_USER in /etc/apache2/envvars (if the above scenario applies):
# open file in editor
sudo vim /etc/apache2/envvars
# search for APACHE_RUN_USER
/APACHE_RUN_USER
You may find something like:
export APACHE_RUN_USER=www-data
c) Add the User www-data to the dialout group:
sudo usermod -a -G dialout www-data
d) Restart.
As the Apache user has been added to the dialout group, the script should now be able to access the device.
Further Reading
How to find the location of the Apache config file:
https://stackoverflow.com/a/12202042/1063287
The permissions on the file make no difference to the user that the program runs as
When you are logged in interactively you do have permission to use the /dev/ttyACM0
When your script is running (presumably as the apache user) it does not have permission
You need to alter the permissions on the /dev/ttyACM0
See the 2nd answer here How can I programmatically set permissions on my char device for an example of altering udev permissions so the file has the correct permissions
Based on the accepted answer, I was able to just add the following to my setup.sh script
printf "KERNEL==\"ttyACM0\", MODE=\"0666\"" | sudo tee /etc/udev/rules.d/si-ct.rules
I am having an issue with my Django Logger and after checking the Apache logs I can see that it is a permission error.
[Mon Dec 15 22:15:22 2014] [error] [client 134.226.38.233] ValueError:
Unable to configure handler 'file': [Errno 13] Permission denied:
'/var/www/bias_experiment/src/survey.log', referer:
http://phaedrus.scss.tcd.ie/bias_experiment/surveyone/
I changed the owner and group of the file (from me) to www-data with sudo chown www-data:www-data survey.log but this had no effect. Setting the write permissions to 777 gets rid of the error but I understand this is bad practice.
This answer to this question "Permission Denied when writing log file" has been very usefull but I do not understand one thing.
"You must make sure that the owner of the file is the service that's
trying to write something to it or that the file belongs to group of
the service or you'll get a permission denied error."
What is the name of the service or group that writes the Django Log file?
Setup:
Server: Ubuntu 12.04
Apache 2.2.22
mod_wsgi Version: 3.3-4ubuntu0.1
Python 2.7.3
Django 1.6
is the same user that run apache. it depends by the OS, common values are
www-data
httpd
you must grant write and execute privileges to the directory that 'contains' the file.
I've been searching throughout this site for a solution but haven't been able to find one. I have a CentOS 6.4 server with Apache 2.2.15, Django 1.6 and mod_wsgi 3.2. I am using Apache to display static files and mod_wsgi to display Django content.
I placed the Django project files in the /srv directory due to this page.
When I run the Django development server, the test page that I wrote up displays properly. However, when I start my Apache server and visit 127.0.0.1, I get a 403 Forbidden error.
django.wsgi (in /srv/mysite)
import os
import sys
envpath = '/usr/lib/python2.6/site-packages'
pwd = os.path.dirname(os.path.abspath(__file__))
os.chdir(pwd)
sys.path = [env] + sys.path
os.environ['PYTHON_EGG_CACHE'] = '/srv/mysite/.python-egg'
os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings'
site.addsitedir(envpath)
from django.core.handlers.wsgi import WSGIHandler
application = WSGIHandlers()
httpd.conf
WSGIScriptAlias / /srv/mysite/django.wsgi
WSGIPythonPath /srv/mysite
<more aliases and tags in order to get the right static files to show>
In the httpd.conf file, the user and group that is listed is the default apache. I ran a ls -l on the /srv directory and its owner and group were listed as root. So, I ran sudo chown -R apache:apache /srv/mysite which changed the directory and all subdirectories to use apache as owner and group.
However, no matter how much I Google or try, I can't get over this 403 error.
EDIT:
I've discovered that when I disable SELinux, and the WSGIPythonPath variable in the http.conf file is django.wsgi, it results in a 500 Internal Server error. However, when I change it to wsgi.py, my website displays properly. I am curious as to why that is.
In any case, since this will be a production machine, I prefer to keep SELinux on and figure out how to get the appropriate permissions figured out.
EDIT 2:
I've edited my django.wsgi file (changed above) ala this link
EDIT 3:
I tried moving my project files into the my /home/ folder. I've been alternating between trying django.wsgi and wsgi.py but still can't get past the 403 Forbidden error. I thought it was originally a permissions issue with the /srv directory but it appears that's not the case...I am trying to figure this out but nothing is working.
EDIT 4:
I decided to just stick the development server for now...but I still need to get this working and I am at the end of my rope. Is there anyone out there that can help me?
SELinux has its own system of granting access. Your process ever has to be granted to access files on filesystem depending on SELinux context. There are some default politics and contexts defined in SELinux those are usefull for default cases of your installation. Just web files are expected to be in '/var/www'. You can mostly check the current context of files or processes using switch '-Z', see
[root#localhost]# ls -Z /var
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 www
Check the context of /srv/mysite
[root#localhost]# ls -Z /srv
drwxr-xr-x. root root system_u:object_r:var_t:s0 mysite
The Apache HTTPD server is allowed to access files with SELinux type httpd_sys_content_t byt it is NOT allowed to access files with SELinux type var_t.
1. Change the SELinux type for your directory and check the context
[root#localhost]# chcon -R -t httpd_sys_content_t /srv/mysite
[root#localhost]# ls -Z /srv
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 mysite
Check if your webiste is working right now.
Till now it is not finished yet, while you relabel filesystem to default or if you use a daemon to check or relabel itself, you risk to lose your new labeling.
2. Make the default labaling for your directory
Create the default labeling by 'semange' and apply it on your directory by 'restorecon'
[root#localhost]# semanage fcontext -a -t httpd_sys_content_t /srv/mysite
[root#localhost]# restorecon -v -R /srv/mysite
[root#localhost]# ls -Z /srv
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 mysite
Right now your SELinux labeling is fixed.
Note: It is possible regular expressions to define default context.
Debian: I'm not a Debian user, so the SELinux type can be a bit different, the principle is just the same, check the SELinux type of your apache directory and set it on your directory you want to be accessible from apache.
Read more at RedHat:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html
Fedora SELinux documentation:
http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/