Django on Linux best practices question

29 views
Skip to first unread message

David Fawcett

unread,
Nov 25, 2013, 2:38:32 PM11/25/13
to pym...@googlegroups.com
I am working on a Django app on RHEL6 with Apache and mod_wsgi. 

I threw together a quick demo app in /home/myuser/myproject, but as I was configuring the app, it became apparent that maybe /home/ isn't a great place for Django projects.  When using mod_wsgi, you have to grant read rights down to your project folder. 

Is there a best practices recommendation on where to create the Django project folder (and associated virtualenv)?  There are quite a few examples of people putting their projects in /var/www/ but that is obviously not a good idea.

Maybe /srv/myDjangoProject ?

Thanks,

David.

Kyle Marek-Spartz

unread,
Nov 25, 2013, 2:47:24 PM11/25/13
to pym...@googlegroups.com, David Fawcett
I don’t use Django (Flask here!), but one approach that might work is creating a user for the app. This has the additional benefit in that it would allow you to assign exactly the permissions the app needs to operate and no more. This limits privilege escalation when your app is compromised, and prevents myuser from being blamed for everything that the app user does. It also allows you to work in a group, where each group member can su into the app user and perform actions as needed. You can use file permissions to control a number of things, but also limit database access to this user, and even allow it to safely reload Apache automatically (using sudoers to allow that but nothing else) in a continuous integration type of setup.

-- 
Kyle Marek-Spartz
>--
>Meetings Schedule / RVSP on our Meetup at http://python.mn
>---
>You received this message because you are subscribed to the Google Groups "PyMNtos" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to pymntos+u...@googlegroups.com.
>For more options, visit https://groups.google.com/groups/opt_out.
>

Nate Swanson

unread,
Nov 25, 2013, 3:49:11 PM11/25/13
to pym...@googlegroups.com
Yeah, we use /srv/ on our Debian boxes. /srv/python/ actually, since we have multi-language server apps. 

David Fawcett

unread,
Nov 25, 2013, 4:32:50 PM11/25/13
to pym...@googlegroups.com
Thanks guys.  I did already have a dedicated user for the app, but I was still not sure about using /home/myappuser.  I think that the trick is to ensure that this user doesn't get any new purposes/responsibilities/rights over time. 

David.

Derek Anderson

unread,
Nov 27, 2013, 11:34:08 AM11/27/13
to pym...@googlegroups.com
I like to use gunicorn in general (pip package) and install it into a venv, then the whole app can be run from the user with least permissions.


Derek
Reply all
Reply to author
Forward
0 new messages