Django [Errno 13] Permission denied:'/ var / www / media / animals / user_uploads' [英] Django [Errno 13] Permission denied: '/var/www/media/animals/user_uploads'
问题描述
用户将能够使用POST请求将他们拍摄的照片上传到服务器。 API处理此请求,然后尝试将图像写入 / var / www / media / animals / user_uploads /< animal_type> /< picture_name> .jpg 。如果没有目录 / var / www / media / animals / user_uploads /< animal_type> / ,它将创建它。
在开发过程中进行测试时,一切皆可以使用Windows和Scientific Linux。在部署服务器上进行测试时,我收到此错误:
根据我的理解,Apache2服务器正在使用用户 www-data 运行。在我的情况下,运行 cat / etc / passwd 获取用户列表,这是我获得的 www-data :
www-data:x:33:33:www-data:/ var / www:/ bin / p>
我假设这意味着 www-data 可以访问的/ var / WWW / 。我试过:
chmod 777 -R media
这是有效的,但这显然是一个非常糟糕的解决方法。有没有更好的解决方法?
这是我的wsgi.py:
import os,sys
os.environ.setdefault(DJANGO_SETTINGS_MODULE,serengeti.settings)
sys.path.append('/ serengeti / django / serengeti ')
sys.path.append('/ serengeti / django')
from django.core.wsgi import get_wsgi_application
application = get_wsgi_application()
我在我的 settings.py 文件中有:
MEDIA_ROOT ='/ var / www / media /'
MEDIA_URL = os.path.join(BASE_DIR,'/ media /' )
我的 vhost.conf 包含以下内容:
别名/媒体/ / var / www / media /
我已经解决了这个问题。
在开发机器上运行时,我实际上正在使用我当前的用户权限运行。但是,在部署服务器上运行时,我实际上正在运行 wsgi ,这意味着它使用 www-data 的特权。
www-data 既不是所有者,也不是拥有 /无功/网络。这意味着 www-data 被视为其他,并将权限设置为其他。
BAD 的解决方案是:
sudo chmod -R 777 / var / www /
这将给每个人充分访问 / var / www / ,哪个是一个非常糟糕的主意。
另一个 BAD 解决方案将是:
sudo chown -R www-data / var / www /
这将将所有者更改为 www-data ,这将打开安全漏洞。
GOOD 解决方案是:
sudo groupadd varwwwusers
sudo adduser www-data varwwwusers
sudo chgrp -R varwwwusers / var / www /
sudo chmod -R 760 / var / www /
这将添加 www-data 到 varwwwusers 组,然后将其设置为 / var / www / 的组,它的所有子文件夹。 chmod 将向所有者提供读取,写入和执行权限,但如果网络服务器遭到黑客攻击,该组将无法执行任何可能上传的脚本。
您可以将其设置为 740 以使其更安全,但是您将无法使用 Django的 collectstatic 功能,所以坚持 760 除非你很有信心你正在做什么。
I am developing a django API which will be running on top of Apache2 via WSGI on a server running Ubuntu.
Users will be able to upload pictures they take to the server using a POST request. The API processes this request and then attempts to write the image to /var/www/media/animals/user_uploads/<animal_type>/<picture_name>.jpg. In case there is no directory /var/www/media/animals/user_uploads/<animal_type>/ it will create it.
When testing during development everything was fine, both using Windows and Scientific Linux. When testing on the deployment server, I receive this error:
From what I understand, the Apache2 server is running using the user www-data. In my case, running cat /etc/passwd to get the list of users, this is what I get for www-data:
www-data:x:33:33:www-data:/var/www:/bin/sh
I am assuming this means that www-data has access to everything in /var/www/. I have tried:
chmod 777 -R media
This worked but it is obviously a very bad way to solve this. Is there a better way to solve this?
This is my wsgi.py:
import os, sys
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "serengeti.settings")
sys.path.append('/serengeti/django/serengeti')
sys.path.append('/serengeti/django')
from django.core.wsgi import get_wsgi_application
application = get_wsgi_application()
I have this in my settings.py file:
MEDIA_ROOT = '/var/www/media/'
MEDIA_URL = os.path.join(BASE_DIR,'/media/')
My vhost.conf contains this:
Alias /media/ /var/www/media/
I have solved this myself in the end.
When running on the development machines, I am in fact running using my current user's privileges. However, when running on the deployment server, I am in fact running through wsgi, which means it's running using www-data's privileges.
www-data is neither the owner nor in the group of users that own /var/www. This means that www-data is treated as other and has the permissions set to others.
The BAD solution to this would be to do:
sudo chmod -R 777 /var/www/
This would give everyone full access to everything in /var/www/, which is a very bad idea.
Another BAD solution would be to do:
sudo chown -R www-data /var/www/
This would change the owner to www-data, which opens security vulnerabilities.
The GOOD solution would be:
sudo groupadd varwwwusers
sudo adduser www-data varwwwusers
sudo chgrp -R varwwwusers /var/www/
sudo chmod -R 760 /var/www/
This adds www-data to the varwwwusers group, which is then set as the group for /var/www/ and all of its subfolders. chmod will give read, write, execute permissions to the owner but the group will not be able to execute any script potentially uploaded in there if for example the webserver got hacked.
You could set it to 740 to make it more secure but then you won't be able to use Django's collectstatic functionality so stick to 760 unless you're very confident about what you're doing.
这篇关于Django [Errno 13] Permission denied:'/ var / www / media / animals / user_uploads'的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
