On Mon, Sep 23, 2019, at 3:02 AM, Tobias Hachmer via Mailman-users wrote:
Hi Mark,
thanks for your response.
On 9/23/19 1:29 AM, Mark Sapiro wrote:
On 9/22/19 2:11 AM, Tobias Hachmer via Mailman-users wrote:
Now, running the scheduled tasks (which run from user+group "nginx") for django I ran into permission problems, because the nginx user can't access/write to the needed files in /opt/mailman3/core/...
I would appreciate any hints how to run the different peaces of mailman3 with the correct user/groups/permissions.
Set up everything as user:group mailman3:mailman3. I.e.,
chown -R mailman3:mailman3 /opt/mailman3/web
and set the uwsgi service to drop privileges to user+group "mailman3".
So simple, now the scheduled tasks are working, but the whole web service did not work because the web server user nginx can't access and write to the uwsgi socket anymore /opt/mailman3/web/project/run/uwsgi.sock.
# chown -R nginx:mailman3 /opt/mailman3/web
This works for all. But isn't it a security risk that e.g. manage.py and settings.py is read- and writeable by the webserver?
You just need them to be readable, not writable. You could possibly use xattrs to do just grant read privs.
You could also configure uwsgi to create a socket somewhere nginx can read it, /var/run/uwsgi.sock should be good enough. You can in theory also try https://uwsgi-docs.readthedocs.io/en/latest/Systemd.html for systemd setup in which case you don't have to manually create sockets as systemd can do that for you.
Regards, Tobias
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
*Attachments:*
- signature.asc
-- thanks, Abhilash Raj (maxking)