Re: apache2 privileges

On Fri, Mar 9, 2012 at 4:43 PM, john@jsdey.com <john@jsdey.com> wrote:
> My apache2 server on linux is running as www-data.  My project is in a
> standard user account.  apache2 can't access files on the user account
> unless I change the user on the user account directory to www-data.
> But when I do that, I can't ssh to the account.  What is the best way
> to set up the account so that apache can have access and I can ssh?
> Thks
>

Which files? Code files, or media files?

You don't want media files writeable by www-data, as this would mean
that any attacker who exploits your web server can now overwrite your
media files. Having read access to these files should be enough, and
you should have that by default.

Similarly, your project code files should not even be writable by
apache, as this would allow an attacker to overwrite them as well.
Since your project code files are executed by the web server, an
attacker who can overwrite a specific file now has a remote code
exploit.

I would go one step further, and not even allow apache to read your
project code. You can do this by running your django app over fastcgi.
Run your fastcgi app on a socket, and configure apache to use that
socket.

Cheers

Tom

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.