I see a lot of different advice online as to where to serve your web application from, what user to run it as, etc.
For instance, I've seen it served from: /var/www/site, /srv/www/site, /home/$USER/site.
I've seen the user be www-data, $USER (i.e. my user account), or a custom user specifically created for that purpose (e.g. user uwsgi).
In terms of security, what is the best scheme I could choose?
For reference, I'm trying to deploy a Django site with Nginx and uwsgi.
Right now, uwsgi is running as root in emperor mode, with uid/gid set as www-data, so vassals spawn with the same permissions as Nginx workers. I'm serving from /home, but thinking of moving.
For location, choose what seems best to you. Here are some considerations to help out:
- Locations under
/var
are for files which change in size, or generally are "variable."
/srv
generally indicates files related to some service running on the machine.
/home
should usually be reserved for interactive users. You can set a system user's home directory to anything, though.
For security, you should segment as much as possible. The app should not run as the same user as the web server, so that it can't be abused to read sensitive files relating to the server itself (.htaccess
or whatever). The app's binary files (or for Django, the python source) should be owned by root, without write access to the application user.
Here's my 2 cents on how to set it up:
- Django app:
/usr/lib/appname/
or /usr/lib/python/site-packages/appname/
if installed. Owned by root, chmod 644.
- App's files (e.g. sqlite db file, Unix socket for FastCGI, uploaded file storage, etc):
/var/lib/appname/
. Owned by app-user, chmod 600.
- app-user's shell is
/bin/nologin
, home is /var/lib/appname/
. User has no configured password.