Monday, February 14, 2022

Re: collectstatic files chown'ed by root

On 14/02/2022 10:14 pm, 'Tim' via Django users wrote:
> Hi all,
> I'm deploying Django 4 via docker-compose. For security reasons, the
> Dockerfile creates a non-root user before running the entrypoint.sh
> script (which does migrations, collectstatic and starts the server
> with gunicorn). All app files are "chown"ed by this non-root user.

I seem to remember from a long ago release note or other documentation
that making dirs was changed to replicate what Linux does. Which is that
parent dirs take the system defaults while the created dir takes
ownership/mode from the user

You might need to create directories one at a time with the appropriate
mode to suit your purposes.

>
> Everything works fine except for the collectstatic command (in
> entrypoint.sh), which creates the "staticfiles" directory but it's
> owned by root. This leads to permission denied errors when the
> collectstatic command tries to delete a static file.
>
> My question: Why does collectstatic assign the folder to "root"
> despite the non-root user calling the collectstatic command? How to
> prevent this?
>
> I tried doing the collectstatic command before switching to the
> non-root user (in the Dockerfile) which works. But it stops working
> when I put the Django SECRET_KEY in a .env file (as we should in
> production) since this env var is not available during docker build time.
>
> Now I could find a hackier way by making the secret key available
> during build time or switching back to a root user in entrypoint.sh,
> but all of this is a bad workaround in my opinion.
>
> I'm sure everyone deploying Django with docker and being mindful of
> security has come across this - Any hints about why collectstatic is
> owned by root? Is this a bug?
>
> Should I add additional details?
>
> Thanks for any tips!
> Tim
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/c3381f62-4bf1-4142-b27f-189ef45a75fan%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/c3381f62-4bf1-4142-b27f-189ef45a75fan%40googlegroups.com?utm_medium=email&utm_source=footer>.


--
Signed email is an absolute defence against phishing. This email has
been signed with my private key. If you import my public key you can
automatically decrypt my signature and be sure it came from me. Just
ask and I'll send it to you. Your email software can handle signing.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/0928fdf0-3fb8-12d8-b2f6-8ad6a3e99be7%40dewhirst.com.au.

No comments:

Post a Comment