Running DJango with uWSGI with a user that has sudo access?

59 views
Skip to first unread message

Paul Koepke

unread,
Jun 14, 2015, 2:50:31 PM6/14/15
to django...@googlegroups.com
I'm running a Django app using uWSGI and nginx. I already saw in the uWSGI documentation that I should not run uWSGI as root. But does it matter if the user I run uWSGI has sudo access? Should I try to use a user that is not a sudoer or does it not really matter?

Gergely Polonkai

unread,
Jun 14, 2015, 3:49:18 PM6/14/15
to django...@googlegroups.com

Hello,

the problem of the root access usually comes into play when your site gets hacked (or if you don't trust the framework written by someone else, which is not always a bad idea). Up until then, you can safely run your application under root privileges.

When your site gets hacked, the main goal is to reduce the attacker's playground. If the attacker gets in with the user's password, it can do anything. If sudo is configured that it doesn't even ask for a password, it's ever worse.

All in all, the best thing is to prepare for the worst case scenario. Assume that the attacker is already on the computer. Make his place as small as possible.

Best,
Gergely

On 14 Jun 2015 20:50, "Paul Koepke" <paul....@gmail.com> wrote:
I'm running a Django app using uWSGI and nginx. I already saw in the uWSGI documentation that I should not run uWSGI as root. But does it matter if the user I run uWSGI has sudo access? Should I try to use a user that is not a sudoer or does it not really matter?

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/7b28bd49-a1df-428a-b828-a085662100a1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Carlos A. Carnero Delgado

unread,
Jun 14, 2015, 3:54:53 PM6/14/15
to django...@googlegroups.com

> ... Should I try to use a user that is not a sudoer or does it not really matter?

You should use the least privileged user you can. In the (unlikely or not) event of an exploit and the user can gain access to console, what can happen? Do you trust the system's configuration?

I think that in a production settings you should go for privilege separation as far as possible. Besides, you could always host more than one service in the same box with different credentials quite nicely.

HTH,
Carlos.

Avraham Serour

unread,
Jun 15, 2015, 4:29:45 AM6/15/15
to django...@googlegroups.com
I think a more common case is programmer error, you may yourself harm the system because of a bug you introduced, I once deleted a folder one level too high (deleted the parent folder of the folder I intended to delete)
if the user only had permissions to only what it is supposed to do I would just see an error instead of silently losing data

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAPjvz2%3D6SVOB7CpePNU4M-zk9q0Qh%2B2bY%2BUjpdpFBjVZKHwy3g%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages