Monday, October 12, 2015

Apache - wsgi permission denied

Wehn mod_wsgi is used in daemon or backgroup mode, UNIX sockers are used to communicate between Apache Child processes and the daemon process which are to handle a request.

These sockets and related lock files will be placed in the standard Apache runtime directory (/etc/httpd/logs/). This is also the same directory that the Apache log files would normally be placed.

For some Linux OS, restrictive permissions are placed on standard Apache runtime directory:
# ll /etc/httpd/
lrwxrwxrwx 1 root root   14 Sep 25 15:46 logs -> /var/log/httpd
lrwxrwxrwx 1 root root   24 Sep 25 15:46 modules -> /usr/lib64/httpd/modules
lrwxrwxrwx 1 root root   14 Sep 25 15:46 run -> /var/run/httpd

# ll /var/run/httpd
rw-r--r-- 1 root root 6 Sep 25 17:15 httpd.pid

This can cause problems with mod_wsgi because the user that the Apache child processes run as will subsequently not have the required permissions to access the directory to be able to connect to the sockets. For example, error message:

[error] [client 207.107.138.54] (13)Permission denied: mod_wsgi (pid=26057): Unable to connect to WSGI daemon process 'bugReport' on '/etc/httpd/logs/wsgi.26053.0.1.sock' after multiple attempts.

To resolve the problem, the WSGISocketPrefix directive should be defined to point at an alternate location. This is done by define "WSGISocketPrefix" in "/etc/httpd/conf/httpd.conf" (in my case):

WSGISocketPrefix /var/run/wsgi

Then restart Apache process and you should be ok.

Note, do not put the sockets in the system temporary working directory. That is, do not go making the prefix '/tmp/wsgi'. The directory should be one that is only writable by 'root' user, or if not starting Apache as 'root', the user that Apache is started as.

No comments: