Ubuntu – Python uWSGI logs have no read permissions

amazon-web-servicesfile-permissionsloggingUbuntuuwsgi

I am running a Python Flask server on uWSGI over an EC2 Ubuntu 14.04 LTS. The server is configured as follows:

[uwsgi]
http-socket    = :9000
plugin         = python
wsgi-file      = /path/to_wsgi.py
enable-threads = true

The logs, however, are created using root permissions without read access:

$ ls -ltrh /var/log/uwsgi/app
total 34M
-rw-r----- 1 root root 2.3M Jun  4 06:50 reporter-uwsgi.log.2.gz
-rw-r----- 1 root root  24M Jun  5 06:51 reporter-uwsgi.log.1
-rw-r----- 1 root root 8.4M Jun  5 17:27 reporter-uwsgi.log

This is an annoyance, because some of my scripts run as a normal user and parse these logs.

Any idea how to configure uWSGI to be written with global read permissions?

Best Answer

You can use the logfile-chown and logfile-chmod configuration options. Both can be set from the command line or in an .ini file.

Here is an example:

[uwsgi]
# ...
logto = /path/file_name.log
logfile-chown = username:groupname
logfile-chmod = 640

Related Solutions

SSH – Bad Owner or Permissions on ~/.ssh/config

I needed to have rw for user only permissions on config. This fixed it.

chmod 600 ~/.ssh/config

As others have noted below, it could be the file owner. (upvote them!)

chown $USER ~/.ssh/config

If your whole folder has invalid permissions here's a table of possible permissions:

Path	Permission
.ssh directory (code)	0700 (drwx------)
private keys (ex: `id_rsa`) (code)	0600 (-rw-------)
`config`	0600 (-rw-------)
public keys (*.pub ex: `id_rsa.pub`)	0644 (-rw-r--r--)
`authorized_keys` (code)	0644 (-rw-r--r--)
`known_hosts`	0644 (-rw-r--r--)

Sources:

openssh check-perm.c
openssh readconf.c
openssh ssh_user_config fix_authorized_keys_perms

Ubuntu – WSGI says “permissions denied” on the Ubuntu server, no WSGISocketPrefix setting works

You are using ITK MPM for Apache. You will need to be using mod_wsgi 3.3 or later, which contains fix:

When compiled against ITK MPM for Apache, if using daemon mode, the listener socket for daemon process will be marked as being owned by the same user that daemon process runs. This will at least allow a request handled under ITK MPM to be directed to daemon process owned by same user as script. See issue:

http://code.google.com/p/modwsgi/issues/detail?id=187

You cannot though just use binary supplied by operating system as those available are likely only going to be for worker and prefork MPM. For ITK MPM you will need to compile mod_wsgi from source code and you MUST have the appropriate headers files for the ITK MPM installed and not those for worker or prefork MPM. This is because mod_wsgi source code has:

    if (!geteuid()) {
#if defined(MPM_ITK)
        if (chown(process->socket, process->uid, -1) < 0) {
#else
        if (chown(process->socket, ap_unixd_config.user_id, -1) < 0) {
#endif
            ap_log_error(APLOG_MARK, APLOG_ALERT, errno, wsgi_server,
                         "mod_wsgi (pid=%d): Couldn't change owner of unix "
                         "domain socket '%s'.", getpid(),
                         process->socket);
            return -1;
        }
    }

IOW, it is a compile time choice as to how to setup permissions with it only being set for ITK MPM correctly if ITK MPM headers are installed properly and so MPM_ITK #define found.

In summary, you will need to do the following:

(1) Ensure that ITK MPM header files installed. If using binary package for Apache, see if there is an ITK variant of the Apache dev package.

(2) Compile and install mod_wsgi from source code available in publically downloadable mod_wsgi 3.3 source package

The mod_wsgi source code package and installation instructions are available from:

http://www.modwsgi.org

Best Answer

Related Solutions

SSH – Bad Owner or Permissions on ~/.ssh/config

Ubuntu – WSGI says “permissions denied” on the Ubuntu server, no WSGISocketPrefix setting works

Related Topic