django/apache permissions problem - django

I'm running a django project on Centos 5.4 and serving it with httpd/mod_wsgi. I can't figure out the correct permissions for /home/website/django_project so that I don't get a 403 error.
In my httpd.conf the user and group to run httpd as is apache. The group django is set up with website and apache as members. The owner of /home/website and all subdirs is website:django, and the permissions are rwxrwx---. Right now the project works fine with the dev server, but if I try to view it through apache, I get a 403 error. chmod -R o+rx /home/website/django_project fixes the problem, but this obviously isn't a good solution.
Thanks

First, try setting the group-sticky bit on the directories:
find /home/website -type d -exec chmod g+s {} \;
Then the perms should read rwxrws---. See if this makes a difference.
If that fails, you can try to poke around as the "website" user and see what happens. Temporarily give the user "website" a home directory (not /home/website, it needs to be something else, like /var/home/website), password, and login shell, then use su - website to switch to it. Try listing the contents of /home/website and try reading files in there. Fix any problems.
Hope this helps.
P.S. I'm assuming /var/log/apache/access_log (or maybe it's /var/log/http/access_log) doesn't have anything useful.

Related

Django server error 403 forbidden nginx/1.10.3 (ubuntu)

I have some media content in ubuntu server. I can upload files. but when I try to load files it shows 403 forbidden nginx/1.10.3 (ubuntu).In file permission, it displays rw--------.
How can I retrieve all content without error?
I'm not familiar with Ubuntu
I used this snippet to recover files. However, it only works the single time. After some while, it shows the same error.
sudo chmod -R 664 /home/django/media/image/
sudo chmod -R a+X /home/django/media/image/
The nginx user must be able to read those files. You can use group permissions to allow that. Also the wsgi user must have its umask set so that files it creates are readable for the group as well.
In your case it looks like your wsgi user has umask 077, which makes files it creates only readable by the owner (rw--------). Thus nginx does not have read permission. Instead use umask 027, which will permit group users to access those files, but not write to them (there's no reason for nginx to have write access).
For example if you are using gunicorn as your wsgi server, you can use gunicorn flags --group www --umask 027. Make sure both gunicorn and nginx user belongs to the www group.
Fix permission something like this.
# set group to `www` for all files recursively
sudo chgrp www -R /home/django/media/
# set all files to be read/write by owner and readable by group `www`
find /home/django/media/ -type f -exec chmod 640 {} ;
# same with directories +execute
find /home/django/media/ -type d -exec chmod 750 {} ;
Alternatively, use 644 for files and 755 for directories, and 022 for umask. Then group permissions don't matter, since all users gets read access.
The latter option is not security best practice, but it's probably fine, as long as you only give the django user write access.

How can I upload files to Amazon EC2 instance?

I managed to configure my website on a Linux ec2 instance with Drupal. But I don't know where I need to modify the files of the server. I already have a fully functional website on my local host and would like to upload it in my ec2 instance.
Can I upload my site somewhere in Drupal? I also tried without Drupal, I installed Apache, and everything but I can't add files on /var/www/ folder because I don't have the necessary permission.
Can you please give me some suggestions or tutorials that might help me?
You can change file permissions using terminal command.
As super user use:
chmod -R 777 var/www/
The -R makes it recursive. For security reasons it's not a good practice to give everyone access to var/www folder. Really consider do you want your filesystem to be so accessible.
My suggestion is to make sub folder and temporary give it full access while you migrate your site from local server.
chmod -R 777 var/www/folder_for_your_drupal_site
After you done with your local site migration you should change back permissions on Drupal default settings (pay attention on settings.php file).
For further info related with migration of local Drupal site check my answer here.
Hope this helps.

Authorization Credentials Stripped --- django, elastic beanstalk, oauth

I implemented a REST api in django with django-rest-framework and used oauth2 for authentication.
I tested with:
curl -X POST -d "client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=password&username=YOUR_USERNAME&password=YOUR_PASSWORD" http://localhost:8000/oauth2/access_token/
and
curl -H "Authorization: Bearer <your-access-token>" http://localhost:8000/api/
on localhost with successful results consistent with the documentation.
When pushing this up to an existing AWS elastic beanstalk instance, I received:
{ "detail" : "Authentication credentials were not provided." }
I like the idea of just having some extra configuration on the standard place. In your .ebextensions directory create a wsgi_custom.config file with:
files:
"/etc/httpd/conf.d/wsgihacks.conf":
mode: "000644"
owner: root
group: root
content: |
WSGIPassAuthorization On
As posted here: https://forums.aws.amazon.com/message.jspa?messageID=376244
I thought the problem was with my configuration in django or some other error type instead of focusing on the differences between localhost and EB. The issue is with EB's Apache settings.
WSGIPassAuthorization is natively set to OFF, so it must be turned ON. This can be done in your *.config file in your .ebextensions folder with the following command added:
container_commands:
01_wsgipass:
command: 'echo "WSGIPassAuthorization On" >> ../wsgi.conf'
Please let me know if I missed something or if there is a better way I should be looking at the problem. I could not find anything specifically about this anywhere on the web and thought this might save somebody hours of troubleshooting then feeling foolish.
I use a slightly different approach now. sahutchi's solution worked as long as env variables were not changed as Tom dickin pointed out. I dug a bit deeper inside EB and found out where the wsgi.conf template is located and added the "WSGIPassAuthorization On" option there.
commands:
WSGIPassAuthorization:
command: sed -i.bak '/WSGIScriptAlias/ a WSGIPassAuthorization On' config.py
cwd: /opt/elasticbeanstalk/hooks
That will always work, even when changing environment variables. I hope you find it useful.
Edit: Seems like lots of people are still hitting this response. I haven't used ElasticBeanstalk in a while, but I would look into using Manel Clos' solution below. I haven't tried it personally, but seems a much cleaner solution. This one is literally a hack on EBs scripts and could potentially break in the future if EB updates them, specially if they move them to a different location.
Though the above solution is interesting, there is another way. Keep the wsgi.conf VirtualHost configuration file you want to use in .ebextensions, and overwrite it in a post deploy hook (you can't do this pre-deploy because it will get re-generated (yes, I found this out the hard way). If you do this, to reboot, make sure to use the supervisorctl program to restart so as to get all your environment variables set properly. (I found this out the hard way as well.)
cp /tmp/wsgi.conf /etc/httpd/conf.d/wsgi.conf
/usr/local/bin/supervisorctl -c /opt/python/etc/supervisord.conf restart httpd
exit 0
01_python.config:
05_fixwsgiauth:
command: "cp .ebextensions/wsgi.conf /tmp"

Redmine custom logo not appearing

I have installed Redmine and I've been playing around with a few themes. I am having trouble installing a custom logo. I add the new file in the correct folder and reference it in the correct stylesheet but when I inspect it in the browser it says "Failed to load the given URL"
I also tried making changes to the base.html.erb file and this did not show up either.
Simple changes to the stylesheet do work however.
Thanks for your help :)
Man, doing anything with Redmine customization is not easy but I finally got it. I followed this tutorial, http://www.redmine.org/projects/redmine/wiki/Howto_add_a_logo_to_your_Redmine_banner
However this did not actually work on my system so I added a few commands of my own. If these commands do not work then try adding sudo in front of them. THis will prompt you for the admin password.
Near the end, the tut tells you to do this in command line:
chown redmine:redmine /opt/redmine/public/images/logo.png
Now I am using Apache so my path would look more like this
chown apache:apache /var/www/redmine/public/images/logo.png
Anyway I tried that and it still had no effect, now the additions I was doing was either under public/images or public/themes so I chose to just target the public folder. This may be bad practice when going live but I am only working locally on a virtual machine.
Here is what worked:
chown -R apache:apache /var/www/redmine/public
chmod -R 775 apache:apache /var/www/redmine/public
The -R stands for recursive so it effects the child files too. chmod 775 allows read, write, execute permission for Owner & Group, and only read, execute permissions for Other.
Restart your server after that (the command could be slightly different depending on your setup, refer to the tut)
/etc/init.d/httpd restart
This was very confusing for me at first so let me know if anyone needs more clarification on the subject. I am using Redmine installed on a CentOS virtual box.

Running lynx via sudo

I am trying to run Lynx under apache user via sudo, but it seems that lynx tries to access my home directory:
$ sudo -u apache lynx
/home/ssmirnov/: No such directory
I have such permissions on my home directory: drwx------
Can you advice me how to run Lynx under another user?
You might try using sudo's -H option. It sets $HOME to the home directory of the user you're trying to run as. Perhaps lynx is looking for a file there, i dunno. (It doesn't seem to have a problem on my machine...but eh.)
-i might work as well; it basically sets the environment up as if the user had logged in, including cd'ing to their home directory. Note, that means starting the shell specified for that user, running login scripts, and all that. If the user's not allowed to log in, this will likely fail.
If you want to run it from your home directory, for example to download something to that location, of course you'll have to grant access to apache somehow. This can be done on ext* filesystems on most modern Linux systems (without granting everyone access) by saying something like setfacl -m u:apache:rwx $HOME. In a pinch, you could temporarily put apache in your group and grant group rwx permissions on your homedir...but unless this is your home machine, i wouldn't do that.