问题描述

在 Linode、RVM、Rails 3、带有乘客模块、carrierwave 和 mini-magick 的 Apache 上运行 Ubuntu 10.04

Running Ubuntu 10.04 on Linode, RVM, Rails 3, Apache with Passenger module, carrierwave and mini-magick

我明白了:

Rails Error: Unable to access log file. Please ensure that /srv/www/mysite.com/testapp/log/production.log exists and is chmod 0666. The log level has been raised to WARN and the output directed to STDERR until the problem is fixed.

和Errno::EACCES(权限被拒绝/srv/www/mysite.com/testapp/public/uploads/tmp/20110517-1707-2938-6455):

我运行了 chmod -R root:root/srv/www/mysite.com/testapp

然后:chmod -R www-data:www-data/srv/www/mysite.com/testapp &chmod -R www-data:www-data/srv/www/mysite.com/testapp/public/uploads

因为只有 2 个应该可写的目录是日志文件和上传目录，所以我试图保护其余的目录.是否还有其他文件夹/文件需要设为可写?

Since the only 2 directories that should be writable is the log files and uploads directory I tried to secure the rest. Are there any other folders / files that I need to make writable?

推荐答案

对网站的权限有点奇怪:一方面，内容需要 webserver 和 FastCGI 或Passenger 或任何执行(在本例中为 Ruby)代码的程序.另一方面，如果网络服务器用户拥有这些文件，那么被黑的网络服务器或(更有可能:)您的代码可能修改您网站的可执行文件和静态文件.这种情况发生得太频繁了.

Permissions on web sites is a little strange: on the one hand, the content needs to be readable by the webserver and FastCGI or Passenger or whatever executes the (in this case, Ruby) code. On the other hand, if the webserver user owns the files, then a hacked webserver or (more likely :) your code could modify the executable files and static files that are your website. It happens too often.

如果网站的内容归其他用户所有，不能被网络服务器软件写入，那么该网站就不能被攻击者覆盖.(当然，你有几个打开的连接到数据库的套接字；所有数据库支持的数据都可能被攻击者破坏.此外，任何允许上传的目录都可能被攻击者破坏.但目标是 尽可能降低软件的权限.)

If the content of the website is owned by some other user, not writable by the web server software, then the website can not be overwritten by attackers. (Of course, you have a few open sockets to a database connection; all the database backed data can be corrupted by attackers. Also, any directory where you allow uploads could be corrupted by attackers. But the goal is to reduce the privileges of the software as far as reasonable.)

综上所述，针对您的具体问题；您的网络服务器软件以 www-data 运行，并且您的日志文件和上传目录由 www-data 拥有是有意义的:

So, all that said, on to your specific question; your webserver software runs as www-data, and it makes sense for your log files and upload directory to be owned by www-data:

mkdir -p /srv/www/mysite.com/testapp/log/   # might not exist yet
chown -R pcasa:pcasa /srv/www/mysite.com/   # or some other user
chmod 755 /srv/www/mysite.com
chmod 755 /srv/www/mysite.com/testapp/
# populate the app directory with your files, if you haven't done so already
chown -R www-data:www-data /srv/www/mysite.com/testapp/log
chmod 755 /srv/www/mysite.com/testapp/log   # see notes
chmod 644 /srv/www/mysite.com/testapp/log/* # see notes

我假设您系统上的所有用户都可以读取日志.这可能不是真的.如果您不希望所有系统用户都使用 700 代替 755 和 600 代替 644读取日志文件.

I made the assumption that all users on your system can read the log. This might not be true. Use 700 in place of 755 and 600 in place of 644 if you don't want all system users to read the log files.

接下来，对于您的 uploads 目录:

Next, for your uploads directory:

mkdir -p /srv/www/mysite.com/testapp/public/uploads/tmp  # might not exist yet
chown -R www-data:www-data /srv/www/mysite.com/testapp/public/uploads
chmod 755 /srv/www/mysite.com/testapp/public/uploads
chmod 755 /srv/www/mysite.com/testapp/public/uploads/tmp

同样，我假设您系统上的所有用户都可以看到所有上传的内容.如果您只希望网络服务器软件能够读取文件，请使用 700 代替 755.

Again, I've made the assumption that all users on your system can be able to see all the uploaded content. Use 700 in place of 755 if you just want the webserver software to be able to read the files.

这些是应该起作用的简单指南；如果您想保持网站软件和内容仅在拥有网站的用户和运行网站的用户之间共享，则可能会变得更加复杂，通过运行网络服务器使用补充组(有关详细信息，请参阅 newgrp(1) 和 group(5) 联机帮助页)并为文件赋予相同的组所有者，并使用组权限位(中间八进制数:750 vs 700).它足够复杂，除非你有充分的理由，否则可能不值得沿着这条路走下去.(绝对值得在某处的开发机器上一次，这样您就足够熟悉它以便将来可以使用它.:)

These are simple guidelines that should work; you can get more complicated if you want to keep the website software and content shared only between the user that owns the website and the user that runs the website, by running the webserver with a supplementary group (see newgrp(1) and group(5) manpages for details) and giving the files the same group owner, and using the group permission bits (the middle octal number: 750 vs 700). It's complicated enough that unless you've got a good reason, it's probably not worth going down this route. (Definitely worth doing once on a development machine somewhere, just so you're familiar enough with it that you can use it in the future. :)

这篇关于apache 乘客需要什么权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！