Trying to set up flask with mod_wsgi

Question

I'm trying to set up flask with mod_wsgi but I keep getting following error

(13)Permission denied: access to / denied (filesystem path '/home/ec2-user/myapp') because search permissions are missing on a component of the path

test is a valid route in the flask app.
This is my myapp.conf file in the /etc/httpd/conf.d folder

WSGIRestrictStdout Off
<VirtualHost *>
    ServerName somewhere.compute-1.amazonaws.com

    WSGIDaemonProcess flaskapp user=ec2-user group=ec2-user threads=5
    WSGIScriptAlias / /home/ec2-user/myapp/myapp.wsgi

    <Directory /home/ec2-user/myapp>
        WSGIProcessGroup flaskapp
        WSGIApplicationGroup %{GLOBAL}
        Order deny,allow
        Allow from all
    </Directory>
    LogLevel notice
</VirtualHost>

This is Apache/2.2.26 with python 2.6.8
I am not using virtualenv.

When i start apache i see this as notice in the error_log

[Mon Feb 10 14:33:00 2014] [notice] Apache/2.2.26 (Unix) DAV/2 mod_wsgi/3.2 Python/2.6.8 configured -- resuming normal operations

This is my myapp.wsgi file

from flask import Flask
application = Flask(__name__)

@application.route("/")
def hello():
    return "Hello World!"

if __name__ == "__main__":
    application.run(host='0.0.0.0', port=80)

running just python myapp.wsgi works fine

The error seems to tell me i should change some permissions on some folder, but I have no idea what folder.

Answer 1

You should check out the Apache docs for 13PermissionDenied and make sure that you set the correct permissions for your folder.

chmod 755 /home/ec2-user/myapp/

You can also:

cd /home/ec2-user/
ls -la 

Which will output every file and the owner:group and permissions for each user group of your folder. Look for anything out of the ordinary.

From the WSGIDaemonProcess docs:

user=name | user=#uid.rst

Defines the UNIX user name or numeric user uid of the user that the daemon processes should be run as. If this option is not supplied the daemon processes will be run as the same user that Apache would run child processes and as defined by the User directive.

Note that this option is ignored if Apache wasn’t started as the root user, in which case no matter what the settings, the daemon processes will be run as the user that Apache was started as.

If you're running your user as apache it will not be running as ec2-user and the apache user must have access to all subdirectories and the containing folder /home/ec2-user/.

You could move to /var/www/, chown to user apache and run from there so you don't have to move the permissions of the ec2-users home directory.

Answer 2

This question was asked on the mod_wsgi mailing list as well. See discussion on the mailing list. Followups will be on the mailing list.

• https://groups.google.com/forum/#!topic/modwsgi/P5xjoV30TFQ

Answer 3

I got stuck on this forever and couldn't find any useful explanation. I even tried giving apache a temporary shell to test file permissions and still got nowhere. I finally came across a solution, documented here.

In short: this error can also be generated if SELinux is configured to forbid access to the directory/files in question. Check your audit.log and change the security context for the files if necessary.

chcon  --user system_u --type httpd_sys_content_t -Rv /home/ec2-user/myapp/

No warranty expressed or implied in terms of any security risks this may incur. I ran into it using a gcloud/CentOS7 default configuration, but I don't know whether that's platform or distro specific.

Good luck!