Plone › Product Developers

PIL error when using effective-user on Ubuntu Hardy

6 messages Options
Embed this post
Permalink
Guido Stevens () PIL error when using effective-user on Ubuntu Hardy
Reply Threaded More More options
Print post
Permalink
Hi all,

I'm running into a strange problem when deploying to Ubuntu Hardy.

Starting Plone via 'bin/instance fg' as a normal unprivileged user works
just fine. However, switching to production mode (chowning parts+var to
www-data, starting as root, effective-user=www-data) gives a strange
exception on PIL:

ImportError: No module named misc.lock_file

I found one earlier report on this exact same backtrace:
http://plone.org/support/forums/setup#nabble-td351730|a14694830
That doesn't help me much though, link rot.

This is a clean Hardy box with python-imaging installed just fine.
Running Plone-3.3, nothing special.

Oh, and very interesting: doing a test deploy to a Debian Etch system
does not result in this error.

Can anybody help me forward here?

:*CU#
--
***   Guido A.J. Stevens        ***   tel: +31.43.3618933    ***
***   [hidden email]   ***   Postbus 619            ***
***   http://www.cosent.nl      ***   6200 AP  Maastricht    ***

             s h a r i n g    m a k e s    s e n s e


_______________________________________________
Product-Developers mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/product-developers
Mikko Ohtamaa () Re: PIL error when using effective-user on Ubuntu Hardy
Reply Threaded More More options
Print post
Permalink

Starting Plone via 'bin/instance fg' as a normal unprivileged user works just fine. However, switching to production mode (chowning parts+var to www-data, starting as root, effective-user=www-data) gives a strange exception on PIL:

ImportError: No module named misc.lock_file

This is just a guess, but could buildout featch, compile and store a custom PIL somewhere where effective-user does not have access (/root/.buildoutcache)? Ubuntu might try to fall back to different, system wide PIL version, which is incompatible version.

--
Mikko Ohtamaa
http://www.twinapex.com - Python professionals for hire

_______________________________________________
Product-Developers mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/product-developers
Guido Stevens () Re: PIL error when using effective-user on Ubuntu Hardy
Reply Threaded More More options
Print post
Permalink
Mikko Ohtamaa wrote:

>
>     Starting Plone via 'bin/instance fg' as a normal unprivileged user
>     works just fine. However, switching to production mode (chowning
>     parts+var to www-data, starting as root, effective-user=www-data)
>     gives a strange exception on PIL:
>
>     ImportError: No module named misc.lock_file
>
>
> This is just a guess, but could buildout featch, compile and store a
> custom PIL somewhere where effective-user does not have access
> (/root/.buildoutcache)?

Nope, the error persists if I make the eggs cache read/write for www-data.

> Ubuntu might try to fall back to different,
> system wide PIL version, which is incompatible version.

Wow. The backtrace rendered contains code snippets which aren't even
present in PIL. It looks more like this error generates from
parts/zope2/lib/python/Zope2/Startup.

Will dive into this deeper tomorrow.
--
***   Guido A.J. Stevens        ***   tel: +31.43.3618933    ***
***   [hidden email]   ***   Postbus 619            ***
***   http://www.cosent.nl      ***   6200 AP  Maastricht    ***

             s h a r i n g    m a k e s    s e n s e


_______________________________________________
Product-Developers mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/product-developers
Derek Broughton-3 () Re: PIL error when using effective-user on Ubuntu Hardy
Reply Threaded More More options
Print post
Permalink
In reply to this post by Mikko Ohtamaa
Mikko Ohtamaa wrote:

>> Starting Plone via 'bin/instance fg' as a normal unprivileged user works
>> just fine. However, switching to production mode (chowning parts+var to
>> www-data, starting as root, effective-user=www-data) gives a strange
>> exception on PIL:
>>
>> ImportError: No module named misc.lock_file
>>
>
> This is just a guess, but could buildout featch, compile and store a
> custom PIL somewhere where effective-user does not have access
> (/root/.buildoutcache)? Ubuntu might try to fall back to different, system
> wide PIL version, which is incompatible version.

Good guess, because www-data, by design, has very limited access to anything
on an Ubuntu system.  I would think you need to chown much more than just
parts and var (my systems all have the entire buildout tree owned by the
effective-user).
--
derek



_______________________________________________
Product-Developers mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/product-developers
David Glick-2 () Re: Re: PIL error when using effective-user on Ubuntu Hardy
Reply Threaded More More options
Print post
Permalink
On Aug 31, 2009, at 5:25 PM, Derek Broughton wrote:
> Good guess, because www-data, by design, has very limited access to  
> anything
> on an Ubuntu system.  I would think you need to chown much more than  
> just
> parts and var (my systems all have the entire buildout tree owned by  
> the
> effective-user).


Having the entire buildout tree owned by Zope's effective user is not  
a good idea from a security perspective.  It means that if someone  
exploited a security hole in Zope, they could write to Zope's  
codespace.  See Steve McMahon's and Erik Rose's great talk on this  
topic from Plone Conference 2008 for more info on this issue and steps  
to take to avoid it: http://plone.org/events/conferences/2008-washington-dc/agenda/securing-zope-and-plone-against-the-big-bad-internet


David Glick
Web Developer
ONE/Northwest

New tools and strategies for engaging people in protecting the  
environment

http://www.onenw.org
[hidden email]
work: (206) 286-1235 x32
mobile: (206) 679-3833

Subscribe to ONEList, our email newsletter!
Practical advice for effective online engagement
http://www.onenw.org/full_signup





_______________________________________________
Product-Developers mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/product-developers
Guido Stevens () Re: Re: PIL error when using effective-user on Ubuntu Hardy
Reply Threaded More More options
Print post
Permalink
In reply to this post by Derek Broughton-3
Derek Broughton wrote:
>>> ImportError: No module named misc.lock_file
>>>
>> This is just a guess, but could buildout featch, compile and store a
>> custom PIL somewhere where effective-user does not have access
>
> Good guess, because www-data, by design, has very limited access to anything

It turned out to be a permission problem, indeed. My './src' directory
was not world-readable.

I got confused by the totally incorrect traceback which showed a
Zope2.Startup error in a PIL context... :-(

--
***   Guido A.J. Stevens        ***   tel: +31.43.3618933    ***
***   [hidden email]   ***   Postbus 619            ***
***   http://www.cosent.nl      ***   6200 AP  Maastricht    ***

             s h a r i n g    m a k e s    s e n s e


_______________________________________________
Product-Developers mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/product-developers
Free Embeddable Forum Powered by Nabble Help