From da17c2b84fda02aa1f1615f04e6d681cea9adcb4 Mon Sep 17 00:00:00 2001 From: Gabriel Hurley Date: Tue, 19 Oct 2010 00:58:34 +0000 Subject: [PATCH] [1.2.X] Fixed #7616 -- Added advice on unix socket permissions and umasks to fastcgi deployment documentation. Thanks to Malcolm Tredinnick for the report and advice, and PaulM and cramm for reviewing the patch. Backport of [14276] from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@14277 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- docs/howto/deployment/fastcgi.txt | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/howto/deployment/fastcgi.txt b/docs/howto/deployment/fastcgi.txt index a445a2d1a7..3bf231fb19 100644 --- a/docs/howto/deployment/fastcgi.txt +++ b/docs/howto/deployment/fastcgi.txt @@ -111,6 +111,14 @@ Running a threaded server on a TCP port:: Running a preforked server on a Unix domain socket:: ./manage.py runfcgi method=prefork socket=/home/user/mysite.sock pidfile=django.pid + +.. admonition:: Socket security + + Django's default umask requires that the webserver and the Django fastcgi + process be run with the same group **and** user. For increased security, + you can run them under the same group but as different users. If you do + this, you will need to set the umask to 0002 using the ``umask`` argument + to ``runfcgi``. Run without daemonizing (backgrounding) the process (good for debugging)::