The fix we agreed upon is wrong. 1) more files/folders are concerned : 640 root:www-data /usr/share/redmine/config/initializers/session_store.rb 640 root:www-data /etc/redmine/<instance-identifier>/database.yml 640 root:www-data /etc/redmine/<instance-identifier>/email.yml 750 www-data:www-data /var/log/redmine/<instance-identifier>
2) making those files as readable by "nobody" is an obvious security hole. A lot of processes run as nobody. They are not supposed to be able to read those files. In conclusion, the patch you sent won't make its way to the redmine package. Either configure passenger to run as www-data, or chown those files yourself, keeping in mind that is it wrong to do that. On 07/01/2010 18:12, Beef Sprocket wrote: > That could work as well now that you mention it. Might be easiest. > passenger usually (from source) runs as root. If it is started as that > user, it will run any apps as the owner of the app's > config/environment.rb file -- it is a handy way of keeping threads for > each app separate. > > The problem is, passenger will only do that if it runs as root. > Otherwise, it falls back to nobody:nogroup. I wonder if setting the > PassengerDefaultUser to root would get things reenabled? Might upset > the apache2* maintainers though ;) > > I like your chown for now, but will test running with > "PassengerDefaultUser root" later this afternoon and get back to you. > > Cheers! > > On Thu, Jan 7, 2010 at 11:28 AM, Jérémy Lal <je...@edagames.com> wrote: >> >> would >> chown nobody:www-data session_store.rb >> >> be a solution ? >> >> Also, >> why would passenger run as nobody ? >> Would it make more sense to run it as www-data ? If yes, >> i guess some discussion with passenger package maintainer >> would help us finding a solution. >> By the way i'm not a passenger user, so please be verbose. >> >> Regards, >> Jérémy Lal >> >>
signature.asc
Description: OpenPGP digital signature
