Best practices for linux user permissions to run w

2019-03-19 20:16发布

问题:

I see a lot of different advice online as to where to serve your web application from, what user to run it as, etc.

For instance, I've seen it served from: /var/www/site, /srv/www/site, /home/$USER/site.

I've seen the user be www-data, $USER (i.e. my user account), or a custom user specifically created for that purpose (e.g. user uwsgi).

In terms of security, what is the best scheme I could choose?

For reference, I'm trying to deploy a Django site with Nginx and uwsgi.

Right now, uwsgi is running as root in emperor mode, with uid/gid set as www-data, so vassals spawn with the same permissions as Nginx workers. I'm serving from /home, but thinking of moving.

回答1:

For location, choose what seems best to you. Here are some considerations to help out:

  • Locations under /var are for files which change in size, or generally are "variable."
  • /srv generally indicates files related to some service running on the machine.
  • /home should usually be reserved for interactive users. You can set a system user's home directory to anything, though.

For security, you should segment as much as possible. The app should not run as the same user as the web server, so that it can't be abused to read sensitive files relating to the server itself (.htaccess or whatever). The app's binary files (or for Django, the python source) should be owned by root, without write access to the application user.

Here's my 2 cents on how to set it up:

  • Django app: /usr/lib/appname/ or /usr/lib/python/site-packages/appname/ if installed. Owned by root, chmod 644.
  • App's files (e.g. sqlite db file, Unix socket for FastCGI, uploaded file storage, etc): /var/lib/appname/. Owned by app-user, chmod 600.
  • app-user's shell is /bin/nologin, home is /var/lib/appname/. User has no configured password.