File permissions in railsapp for non-root mongrel

Hello,

Short version: what files and dirs need to be owned by the user
mongrel is running as, for my rails app to work?

I’ve set up a mongrel cluster to serve my rails app. At first, I
loaded up the mongrels using launchd (it’s running on a mac), and the
example plist-file I found for /Library/LaunchDaemons didn’t set
UserName, so the mongrels ran as root. Everything worked fine, but I
felt that they should run as _www or some other non-privileged user.
At first, I couldn’t start the cluster, but that was because _www
couldn’t write to tmp/pids/, so I chown:ed that dir.
Now the cluster started up, but I couldn’t modify the database (I
could read it though). This was a test app still on sqlite3, so I
figured I’d better chown the db/sqlite3 files as well. That didn’t
fix the problem though (is sqlite3 creating some sort of lock file or
something?). I realized _www needs to write to log/
also, and in
order to fix the sqlite3-problem I resorted to chown -R the entire
rails app.

It works fine now, but I feel like I defeated some of the purpose of
running mongrel as a non-privileged user. It now has write privileges
on stuff it should never modify. Ideally, I’d like to give _www
privileges to only the files and dirs it needs to modify. Can someone
here give me a few pointers?

log/
tmp/
db/*sqlite3
what else?

  • Martin