All geek questions in one place

Secure django file permissions

I am looking for a basic set of file permissions to make django installation as safe as possible.

I cannot find any obvious link either on the Django site or on Google.

Any links or tips?

I am using Apache + mod_wsgi + django. I do not have boot directories for permission. This is truly a basic setup.

I am currently running my code successfully:

/var/www/djangodir /django /3rdpartyapp /myapp /serverfiles/my.wsgi all directorys: 755 owned by root.root all files: 644 owned by root.root exceptions to all files ----------------------- settings.py file: 400 owned by apache.apache my.wsgi: 400 owned by apache.apache

I do not like 644 on all files, and I would like to tighten it, but it seems that I could not leave with 400 or 500. The wsgi application cannot import anything from django if I do this.

Help!

+4
source share
2 answers

Use mod_wsgi daemon mode and run the Django application. Set the user / group for this daemon process group as the special special user of the Django application, which is different from the Apache user. Use the WSGI script file that you are using outside the scope of the Django project.

The directory containing the WSGI script file can then be 700 if it belongs to an Apache user. The WSGI script file inside it should only be 400 and should not even belong to the Apache user, but may belong to the root user or to a separate user of the Django application. All Apache users will need the ability to see the WSGI script file in the directory; they will not need to open the WSGI script file.

All your project code and virtual environment can be in a directory structure owned by an individual Django user, while all directories are 0700 and files that can be read / written as needed or as needed. Only a user accessible Django application should have access, since all calls will be made from the daemon process group running as that user.

This way you have limited access so that the Apache user cannot even see your project code. Thus, if hosting other things in the same Apache, such as PHP, there is no risk that a break in the PHP code can access the files.

+6
source

Thanks for the great answer! I don’t know how you take the time to answer all the questions that I have seen your fingerprints for all these years, but you are doing a huge service for the entire python / django / wsgi community. I liked your blog post: http://blog.dscpl.com.au 12/5/2012 about diluting good advice and goodwill in these forums. This is definitely a difficulty breaking through all stupid things.

In any case, for everyone who watches this topic, it works.

 root.root: 755 /var/saas <- topdir apache.apache: 755 /var/saas/wsgi <- apache folder vsn.vsn: 400 /var/saas/wsgi/vsn.wsgi <- wsgi file vsn.vsn: 700 /var/saas/vsn <- django code root.root: 700 /var/saas/scripts <- operations scripts root.root: 700 /var/saas/config <- temp config folder apache.apache 444 /var/www/html/static <- destination of django's: python ./manage.py collectstatic

I couldn't get this to work with apache 700 permissions, but I'm happy with 755. One of the great unsolved secrets of apache that I guess.

+5
source

Source: https://habr.com/ru/post/1479441/

More articles:


All Articles