On the server python + nginx.

Python is launched from user, nginx from www-data.

The site has the ability to upload a photo, the code is cut into the image, and saved in the desired folder. at the same time, the original is retained with the rights of 770, and the new cutting with the rights of 660. But through the site, none of them can be viewed. If I only manually change the rights to 755, then through the site these pictures become available. I tried in / etc / group to add the user www-data to the group to user, hoping that thereby both nginx and python would have a common group and they would have access to the files, but I was mistaken.

What am I doing wrong, from whom do I need to run something, or do I make some settings on the server, or something else? There is an option in the code to manually assign the rights to the saved files, but IMHO it is crooked, I think there should be an exit on the server level.

Thanks for attention.

    2 answers 2

    Set the SGID flag on directories accessible via the web. Something like this:

    chgrp -R www-data /var/www find /var/www -type d -exec chmod g+s '{}' \; 

    Then the files created in these directories will belong to the group www-data.

    If possible, specify the rights with which the file is created explicitly in the code (not forgetting that they will be limited to the process umask ).

    A more flexible option (if one is required, if not needed - it's easier to get around with SGID bits), provided that the POSIX Access Control Lists file system is supported (for ext3 / ext4 - the acl flag when mounting), you can set the permissions using setfacl .

    • The SGID flag did not help. So I will programmatically assign rights. Thanks for the answer. - trec
    • Strange. Make ls -la in the directory with downloaded files (which do not open) and show, please, a piece of output. - drdaeman 2:19
    • Red highlighted those that I manually changed to 755, but the green and pink is the photo created by the code. clip2net.com/s/2veVH - trec 2:41
    • @trec: Well, all the files, judging by the date, are loaded even after the rights to the directory were changed (17:21). Make chgrp www-data * to change the group. But already new files should appear with the correct group already independently. With one exception - if you first create files when downloading, for example, in /tmp , and then move them to this directory, then in this case the group will not change (and that will be kard ). SGID must be placed at the place where the files are created. - drdaeman 2:46
    • Also, if you can’t figure it out, add the user www-data to the kard group, not the user , and restart the web server (this is important, otherwise adding to the group will not be noticed - the definition of the group list occurs exactly when the process starts). But this is a crutch decision, it is not good to somehow give www-data such broad powers. - drdaeman

    Try the script to change the right when pruning, 751 rights expose. Alas, I do not remember which function is responsible for this. look in the OS module

    • I did it for one project, but I still wonder if it is possible to configure this on the server itself, having correctly set the rights. - trec