RoR on CentOS 5, file permissions

Jussi_H · March 15, 2013, 2:17pm

I am learning RoR on CentOS 5. What would be the ideal way to set
permissions in the app folder? The rails default did not work for me.

I use git and apache/passenger. Everything works now that I

added apache to the group git (by modifying /etc/group)
did the following at tha app root
chown -R root:git *
chmod -R 775 *

Howerer, this is probably too wide.

It seems to me that somebody else is using the view templates besides
apache, because 770 gives an error. Or else Passenger does not respect
the
fact that apache was added to the git group.

Jussi_H · March 15, 2013, 2:34pm

On Fri, Mar 15, 2013 at 7:41 AM, Jussi H. [email protected] wrote:

It seems to me that somebody else is using the view templates besides
apache, because 770 gives an error. Or else Passenger does not respect the
fact that apache was added to the git group.

Passenger runs as the user and group Apache runs as. That said you
should not need to add the executable bit to any Ruby file unless it’s
a bin file, Ruby is not PHP (actually that always kinda annoyed me
about PHP a bit :/…) That said, even if Apache was added to the git
group that does not mean that Apache will run with the git group since
Apache sets it’s user and group. Your best bet in that situation is to
set the group via configurations. I don’t know how CentOS sets up
Apache so you’ll have to grep that out.

On the permissions part, I would probably set it up as 640.

Jussi_H · March 15, 2013, 8:44pm

On Friday, March 15, 2013 3:33:39 PM UTC+2, Jordon B. wrote:

Passenger runs as the user and group Apache runs as.

I once got an error message which implied that the db dir should be
accessible to the user nobody:nobody - and my apache is set to run as
apache:apache. I haven’t tested this, though. As a temporary solution
my
db directory is now world-writable.

That said you
should not need to add the executable bit to any Ruby file unless it’s
a bin file, Ruby is not PHP (actually that always kinda annoyed me
about PHP a bit :/…)

I had the exec bit on only because of directory access. I was too lazy
to
adjust separately for files and directories.

That said, even if Apache was added to the git
group that does not mean that Apache will run with the git group since
Apache sets it’s user and group. Your best bet in that situation is to
set the group via configurations. I don’t know how CentOS sets up
Apache so you’ll have to grep that out.

On the permissions part, I would probably set it up as 640.

Let’s see… I switched the group assignments so that now git is a
member
of apache group (and not vice versa). Both apache and git seem to work
ok.

Also I made this bash script which I run now and then. So far I am good
with this. The permissions are not quite optimal, though. For example I
don’t like world-writable directories.

this file should be at the project root

myproj=’.’

basic settings

chgrp -R apache $myproj;
chmod -R 774 $myproj;

project dir

chmod o+x $myproj;

subdirs and their contents

find $myproj/* -type d -exec chmod 2775 {} ;;
chmod -R 777 $myproj/db $myproj/tmp;
chmod 666 $myproj/log/*;

Jussi

Jussi_H · March 16, 2013, 6:54pm

On Friday, March 15, 2013 9:59:24 PM UTC+2, Frederick C. wrote:

You can configure which user your ruby code runs at. Whatever user that is
clearly needs read access to your app (and possibly write access to tmp)

I found a way to do this - using the Process::UID module.

Where should i put this in my project? And would it be harmful to use
the
“apache” user - same as Apache/Passenger? That would simplify setting
the
permissions in the project directory.

BTW, why cannot I post in this group with Thunderbird? Those emails just
vanish and never get to the group. I can only post with browser, using
groups.google.com. Is this normal?

Jussi

Jussi_H · March 15, 2013, 9:00pm

On Friday, March 15, 2013 7:42:45 PM UTC, Jussi H. wrote:

apache:apache. I haven’t tested this, though. As a temporary solution my
db directory is now world-writable.

You can configure which user your ruby code runs at. Whatever user that
is
clearly needs read access to your app (and possibly write access to tmp)

Fred

Jussi_H · March 17, 2013, 6:06pm

On Saturday, March 16, 2013 11:11:21 PM UTC+2, Colin L. wrote:

Is the email address you use with thunderbird the one you used to register
with?

Yes.

Jussi

Jussi_H · March 17, 2013, 7:48pm

On Saturday, March 16, 2013 5:53:14 PM UTC, Jussi H. wrote:

Where should i put this in my project? And would it be harmful to use the
“apache” user - same as Apache/Passenger? That would simplify setting the
permissions in the project directory.

You should just be able to set this in the virtual host configuration.

Fred

Jussi_H · March 16, 2013, 10:13pm

On 16 March 2013 17:53, Jussi H. [email protected] wrote:

…
BTW, why cannot I post in this group with Thunderbird? Those emails just
vanish and never get to the group. I can only post with browser, using
groups.google.com. Is this normal?

Is the email address you use with thunderbird the one you used to
register with?

Colin

Jussi_H · March 20, 2013, 10:26am

On Sunday, March 17, 2013 8:47:23 PM UTC+2, Frederick C. wrote:

You should just be able to set this in the virtual host configuration.

Now I found a way to do this. I could add

PassengerDefaultUser apache

(or whichever user you like except root)

to the virtual host block of the apache conf. I just tested this, and it
works.

But there is a more elegant way. All the necessary information is here:

http://www.modrails.com/documentation/Users%20guide%20Apache.html#user_switching

In essence, you just need to change the owner of config/environment.rb.
This I did not test yet, though.

Jussi