On Sun, Jun 27, 2010 at 10:50 AM, Rusty Shackleford <rusty.c.shacklef...@gmail.com> wrote: > Hi, > > I'm about to deploy my first Django app, but I have a few questions > about permissions. > > The project container is at '/usr/local/sites' with '775 root www- > data'. > > I have the project stored at '/usr/local/sites/project' with '755 www- > data www-data'. > > I have NGINX aliased to '/usr/local/sites/project/static' with '755 > www-data www-data' for static content. > > Are these permissions reasonable? > > Rusty >
They are fine ... but ... As you are thinking about permissions, these permissions would allow an attacker who managed to compromise a web app running as www-data to alter the project code. A way to mitigate that risk is to have the owner of these files as a separate role user, eg <project>-services, with the group as www-data, and with permissions u+rw,g+r,a-rw (user read/write, group read, everyone else can get stuffed). If you run many web apps on the one box, you could also use a completely separate user to run the app, and communicate over FastCGI with TCP/IP. That way, the only way a compromised web app could lead to an attacker reading your project files would be if it was your web app that was compromised. I wouldn't agree with the poster who suggested that 'As long as the last number is 4 or greater (at least read access for all) you should be fine' - that will allow it to run, for sure, but you can be more secure with just a little thought, so why not? Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
