Simon, running behind a 'real' webserver proxy is the recommended deployment for production galaxy. That way, the paste process can run as any user on any spare port you want and your users don't even see it - it's proxied by and thus secured/authenticated by your existing web server (eg apache) setup. As an additional benefit, a web server can likely handle data flows and serve static files more efficiently. LDAP or other existing apache authentication pass through works well for private instances and is pretty straightforward. http://bitbucket.org/galaxy/galaxy-central/wiki/Config/ProductionServer has some useful hints and links to start at. Thanks for using Galaxy! On Wed, Jul 28, 2010 at 5:50 PM, simon andrews (BI) <simon.andrews@bbsrc.ac.uk> wrote:

I'm in the process of setting up a multi-user galaxy server and am trying to sort out permissions and am having some problems.  What I'd like to end up with ideally would be:

* A galaxy-dist folder owned by a normal user

* The galaxy server running as an unprivileged user 'galaxy' and bound to port 80

At the moment I'm having to have the galaxy user own the galaxy-dist directory and bound to port 8080.  So I have a couple of questions:

1) Within galaxy-dist is there are list of locations which the owner of the server process will need to read and write to so I can open up permissions on just these files/directories?

2) Is there any way to have the server be launched as root so it can bind to port 80, but then drop privileges to run as an unprivileged user after that?  I found a bug on the paster.py trac site saying this wasn't something they were going to implement (there is a --user option but it drops its privileges too early), but that individual servers could implement it.

Thanks

Simon. _______________________________________________ galaxy-dev mailing list galaxy-dev@lists.bx.psu.edu http://lists.bx.psu.edu/listinfo/galaxy-dev