I have a user account all set up for this Python webapp I'm deploying with mod_wsgi. It's super-unprivileged, and only gets to read from the appdir and write to a separate set of tempdirs which no one else gets to look at. I'm using the following configline:
WSGIDaemonProcess xlsxf_daemon user=xlsxf group=xlsxf
Simple enough. Unfortunately, we then have this from the docs about the user option:
Note that this option is ignored if Apache wasn't started as the root user, in which case no matter what the settings, the daemon processes will be run as the user that Apache was started as.
Since I'm running this in a default Ubuntu install on Linode, Apache starts as the www-data user and the Python app I have confirmed is doomed to also run as www-data. Why the limitation above? I have plenty of ruby/passenger apps that daemonize as other users just fine.
edit: okay, so Apache doesn't start as the www-data user, but I'm still seeing that the Python webapp runs as www-data in spite of the above config line. /edit
Alternatively, am I just being overly paranoid here? I have multiple different projects running on this server, and I'd like them all to run as separate users, "just in case", but feel free to tell me that I should just give in and move the permissions over to www-data.
edit2: As requested, here's all the running apache processes:
root 18798 0.0 1.9 16156 9880 ? Ss Jul26 0:03 /usr/sbin/apache2 -k start
www-data 19344 0.0 1.0 15208 5264 ? S Jul26 0:00 /usr/sbin/apache2 -k start
xlsxf 19361 0.0 1.2 155244 6620 ? Sl Jul26 0:02 /usr/sbin/apache2 -k start
www-data 19379 0.0 3.2 245436 16420 ? Sl Jul26 0:01 /usr/sbin/apache2 -k start
www-data 19380 0.0 3.2 243536 16496 ? Sl Jul26 0:01 /usr/sbin/apache2 -k start
Best Answer
You are reading it wrong. Apache does start as 'root' and the parent Apache process stays as 'root', only the Apache server child process run as 'www-data'. The mod_wsgi daemon processes are forked from the parent 'root' process and so will still be able to change to that user.
What the comment is saying is that if you start Apache from a totally non privileged account, eg., as you out of an install of Apache in your home directory or elsewhere, then since it doesn't start as 'root' it can't change user id of daemon processes. Apache started from system init scripts though is always started as 'root' though and should be no issue.