Skip to content

Install WebAdmin dependencies in a dedicated venv #135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
aravindhbalaji04 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Install WebAdmin dependencies in a dedicated venv #135

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions INSTALL-Installer.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,9 @@ npm -v

### Install Python packages
```bash
python3 -m pip install --break-system-packages --ignore-installed urllib3==1.26.15 mysqlclient
python3 -m venv /opt/fitcrack-webadmin-venv
/opt/fitcrack-webadmin-venv/bin/python3 -m pip install --upgrade pip
/opt/fitcrack-webadmin-venv/bin/python3 -m pip install --ignore-installed urllib3==1.26.15 mysqlclient
Comment on lines +111 to +113

Copilot AI Apr 17, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This creates a venv in /opt/fitcrack-webadmin-venv, but the rest of the installer flow (and scripts like measureUsage.py with #!/usr/bin/python3) won’t use it unless you explicitly reference that interpreter. If these packages are needed by system-Python daemons, they should be installed via distro packages or the daemon should be updated to run using the venv’s python; otherwise, clarify/remove this step to avoid a non-functional venv.

Suggested change
python3 -m venv /opt/fitcrack-webadmin-venv
/opt/fitcrack-webadmin-venv/bin/python3 -m pip install --upgrade pip
/opt/fitcrack-webadmin-venv/bin/python3 -m pip install --ignore-installed urllib3==1.26.15 mysqlclient
# Fitcrack scripts/services use /usr/bin/python3, so install these into the
# system Python environment rather than an unused virtualenv.
python3 -m pip install --upgrade pip
python3 -m pip install --ignore-installed urllib3==1.26.15 mysqlclient

Copilot uses AI. Check for mistakes.
```

### Setup the MariaDB server
Expand Down Expand Up @@ -190,7 +192,9 @@ dnf install -y \

### Install Python packages for Fitcrack
```bash
python3 -m pip install --ignore-installed mysqlclient urllib3==1.26.15
python3 -m venv /opt/fitcrack-webadmin-venv
/opt/fitcrack-webadmin-venv/bin/python3 -m pip install --upgrade pip
/opt/fitcrack-webadmin-venv/bin/python3 -m pip install --ignore-installed mysqlclient urllib3==1.26.15
Comment on lines +195 to +197

Copilot AI Apr 17, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same issue as above for CentOS: creating /opt/fitcrack-webadmin-venv doesn’t affect scripts that run under system Python unless they’re executed with that venv’s interpreter. Either document how this venv is wired into runtime (systemd/daemon invocation / Apache python-home), or switch the guidance to installing the needed modules in the environment that actually runs the scripts.

Copilot uses AI. Check for mistakes.
```

### Install Node 16.15
Expand Down
28 changes: 26 additions & 2 deletions installer/install_webadmin.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@
##################################

echo "Installing back-end requirements..."
python3 -m pip install --break-system-packages --ignore-installed -r webadmin/fitcrackAPI/src/requirements.txt
WEBADMIN_VENV_PATH="$APACHE_DOCUMENT_ROOT/fitcrackAPI/.venv"
echo "Back-end dependencies will be installed into a dedicated virtualenv: $WEBADMIN_VENV_PATH"
echo "Done."
Comment on lines 11 to 14

Copilot AI Apr 17, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The status output at the top is now misleading: it prints "Installing back-end requirements..." and "Done." but doesn’t actually install anything until later in the script. Consider moving/removing these messages or performing the venv/pip work here so logs accurately reflect what happened.

Copilot uses AI. Check for mistakes.

####################################
Expand Down Expand Up @@ -191,7 +192,7 @@ else
fi

echo "<VirtualHost *:$BACKEND_PORT>" >> $BE_CONFIG_FILE
echo " WSGIDaemonProcess fitcrack user=$APACHE_USER group=$APACHE_USER threads=5" >> $BE_CONFIG_FILE
echo " WSGIDaemonProcess fitcrack user=$APACHE_USER group=$APACHE_USER threads=5 python-home=$WEBADMIN_VENV_PATH" >> $BE_CONFIG_FILE

Copilot AI Apr 17, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The generated Apache vhost sets group=$APACHE_USER, but the script separately tracks APACHE_GROUP (and later chowns files to $APACHE_USER:$APACHE_GROUP). If APACHE_GROUP is customized, mod_wsgi will run under an unexpected group and may fail to access files. Use the configured group variable consistently.

Suggested change
echo " WSGIDaemonProcess fitcrack user=$APACHE_USER group=$APACHE_USER threads=5 python-home=$WEBADMIN_VENV_PATH" >> $BE_CONFIG_FILE
echo " WSGIDaemonProcess fitcrack user=$APACHE_USER group=$APACHE_GROUP threads=5 python-home=$WEBADMIN_VENV_PATH" >> $BE_CONFIG_FILE

Copilot uses AI. Check for mistakes.
echo " WSGIScriptAlias / $APACHE_DOCUMENT_ROOT/fitcrackAPI/src/wsgi.py" >> $BE_CONFIG_FILE
echo " WSGIPassAuthorization On" >> $BE_CONFIG_FILE
echo " <Directory $APACHE_DOCUMENT_ROOT/fitcrackAPI/src/>" >> $BE_CONFIG_FILE
Expand Down Expand Up @@ -295,6 +296,29 @@ if [ $INSTALL_BACKEND = "y" ]; then
echo "Installed to $APACHE_DOCUMENT_ROOT/fitcrackAPI."
fi

if [ -d "$APACHE_DOCUMENT_ROOT/fitcrackAPI/src" ]; then
echo "Installing Python dependencies into WebAdmin virtualenv..."

if ! command -v python3 >/dev/null 2>&1; then
echo "Python3 is not available. Install python3 and python3-venv first."
exit 1
fi

python3 -m venv "$WEBADMIN_VENV_PATH"
if [ $? -ne 0 ]; then
echo "Failed to create virtualenv at $WEBADMIN_VENV_PATH."
echo "Make sure python3-venv (or equivalent) is installed."
exit 1
fi

"$WEBADMIN_VENV_PATH/bin/python3" -m pip install --upgrade pip
"$WEBADMIN_VENV_PATH/bin/python3" -m pip install --ignore-installed -r "$APACHE_DOCUMENT_ROOT/fitcrackAPI/src/requirements.txt"

chmod -R 775 "$WEBADMIN_VENV_PATH"
chown -R $APACHE_USER:$APACHE_GROUP "$WEBADMIN_VENV_PATH"
Comment on lines +317 to +318

Copilot AI Apr 17, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The venv is being made writable/owned by the Apache runtime user (chmod -R 775 + chown -R $APACHE_USER...). That allows a web-server compromise to modify Python packages/code inside the venv and persist RCE. Prefer keeping the venv owned by root (or a dedicated admin user) and only readable/executable by Apache; avoid recursive group-writable permissions.

Suggested change
chmod -R 775 "$WEBADMIN_VENV_PATH"
chown -R $APACHE_USER:$APACHE_GROUP "$WEBADMIN_VENV_PATH"
chown -R root:root "$WEBADMIN_VENV_PATH"
chmod -R a+rX,u+w "$WEBADMIN_VENV_PATH"

Copilot uses AI. Check for mistakes.
echo "Back-end Python dependencies installed in virtualenv."
fi

sed -i "s|http://localhost:5000|$BACKEND_URI:$BACKEND_PORT|g" $BOINC_PROJECT_DIR/bin/measureUsage.py

#######################
Expand Down
7 changes: 4 additions & 3 deletions webadmin/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ systemctl restart apache2
On Centos/RHEL:
```
yum install -y python3-devel python3 python3-pip python3-mod_wsgi
pip3 install mysqlclient
```


Expand All @@ -22,7 +21,9 @@ pip3 install mysqlclient
Install backend dependencies
```
cd /var/www/fitcrackAPI/src
sudo pip3 install -r requirements.txt
python3 -m venv /var/www/fitcrackAPI/.venv
/var/www/fitcrackAPI/.venv/bin/python3 -m pip install --upgrade pip
/var/www/fitcrackAPI/.venv/bin/python3 -m pip install -r requirements.txt
Comment on lines +24 to +26

Copilot AI Apr 17, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These steps require the venv module (e.g., Debian/Ubuntu package python3-venv). The dependency list above doesn’t mention it, so python3 -m venv ... may fail on a fresh system. Please add python3-venv (or distro equivalent) to the prerequisites for platforms where it’s a separate package.

Copilot uses AI. Check for mistakes.
```


Expand Down Expand Up @@ -80,7 +81,7 @@ Change `/etc/apache2/sites-available/000-default.conf` to:
Listen 5000
<VirtualHost *:5000>

WSGIDaemonProcess fitcrack user=boincadm group=boincadm threads=5
WSGIDaemonProcess fitcrack user=boincadm group=boincadm threads=5 python-home=/var/www/fitcrackAPI/.venv
WSGIScriptAlias / /var/www/fitcrackAPI/src/wsgi.py

<Directory /var/www/fitcrackAPI/src/>
Expand Down
Loading