Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Socket ownership (again) #137

Closed
azurit opened this issue Jun 2, 2016 · 4 comments
Closed

Socket ownership (again) #137

azurit opened this issue Jun 2, 2016 · 4 comments

Comments

@azurit
Copy link

azurit commented Jun 2, 2016

I know this was discussed many times but let's open it again. Many years have passed and distributions are still providing incorrectly compiled mod_wsgi against Apache MPM ITK. Even more, in Apache 2.4, MPM ITK is no longer a MPM but a standard module which is loaded with MPM Prefork. There are also other similar modules which are not working ok with mod_wsgi because of socket ownership/permissions (mod_suid, mod_ruid, mod_ruid2, maybe more?). I have lost so MANY MANY hours trying to resolve the problem WITHOUT compiling and maintaining my own mod_wsgi (which i don't want to do because it means lot's of work to me and my company). I'm totally frustrated because of such a simple thing :( and i REALLY don't understand why you are denying to implement custom socket owner/permissions settings. Even even more, Firefox 46 and above includes a bug which make it unable to correctly handle HTTP connections shutdown by server (see https://bugzilla.mozilla.org/show_bug.cgi?id=1277522 ) so when you are running VirtualHost under two different system users (one for static data runnnig under customer's user and one for mod_wsgi running under Apache user [www-data] so it have access to mod_wsgi socket), Firefox is showing 'connection reset' error on every second request. So we are now doing ugly workarounds like disabling KeepAlive (so connections are not reused) or moving static data to different subdomain/virtualhost and so on - costs us more and more time and happiness :(

Can you PLEASE PLEASE PLEASE reconsider implementing custom socket ownership/permissoins settings? I don't understand why is it wrong to allow users to set this (and we are not asking it because we are trying to do something stupid, we simply NEED IT to get things working).
@GrahamDumpleton
Copy link
Owner

This capability was implemented back in December 2014 in version 4.4.1. The option to WSGIDaemonProcess is socket-user. Give the #nnn or username as option which the Apache child worker process is dropping privileges to and which socket needs to be owned by. This mechanism is compatible with PrivilgesMode mode of SECURE and would presumably would be compatible with older MPM types which did the same thing.

@GrahamDumpleton
Copy link
Owner

No further feedback on whether any change actually required, closing.

@azurit
Copy link
Author

azurit commented Nov 13, 2016

Because i currently cannot try it, newest stable Debian includes version 4.3. I will reopen this in case of any problems. Thank you.

@GrahamDumpleton
Copy link
Owner

Debian only ships out of date software, especially in the case of mod_wsgi, so can't help you with that. :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@GrahamDumpleton @azurit