secure django file permissions

Question

I am looking for a baseline set of file permissions to keep a django installation as secure as possible.

I cannot seem to find any obvious reference either on the Django site or Google.

Any links or clues?

I use Apache + mod_wsgi + django. I have no upload directories to permission. This is a really basic setup.

I am currently running my code successfully thus:

/var/www/djangodir 
                  /django
                  /3rdpartyapp
                  /myapp
                        /serverfiles/my.wsgi

all directorys:   755 owned by root.root
all files:        644 owned by root.root

exceptions to all files
-----------------------
settings.py file: 400  owned by apache.apache
my.wsgi:          400  owned by apache.apache

I dont like the 644 on all files and would like to tighten that up but can't seem to get away with 400 or 500. The wsgi app cannot import anything from django if I do.

Help!

Answer 1

Use mod_wsgi daemon mode and have your Django application run in it. Set user/group for that daemon process group to be a special dedicated Django application user different to the Apache user. Have the WSGI script file you use be outside of the Django project area.

The directory containing the WSGI script file then can be 700 if owned by the Apache user. The WSGI script file inside it need only be 400 and need not even be owned by the Apache user but could be owned by root or the dedicated Django application user. All the Apache user will need is the ability to see the WSGI script file in the directory, it will not need the ability to open the WSGI script file.

All your project code and virtual environment can then be in a directory structure owned by the dedicated Django user with all directories being 0700 and files readable/writeable as you see fit or as needed. Only the dedicated Django application user need have access because all accesses will be from the daemon process group running as that user.

By doing it this way you have restricted access so that the Apache user cannot even see your project code. That way if hosting other stuff on the same Apache, such as PHP, there is no risk that a break in to the PHP code can access the files.

Answer 2

Thanks for a great reply! I don't know how you find the time to answer all the questions I've seen your fingerprints on all these years, but you are doing a huge service to the entire python/django/wsgi community. I liked your blog entry: http://blog.dscpl.com.au 12/5/2012 about the dilution of good advice and goodwill on these forums. It is definitely a challenge googling past all the nonsense out there.

Anyway, for anybody watching this thread, this works.

root.root:              755 /var/saas                   <- topdir
apache.apache:          755 /var/saas/wsgi              <- apache folder
vsn.vsn:                400 /var/saas/wsgi/vsn.wsgi     <- wsgi file
vsn.vsn:                700 /var/saas/vsn               <- django code
root.root:              700 /var/saas/scripts           <- operations scripts
root.root:              700 /var/saas/config            <- temp config folder
apache.apache           444 /var/www/html/static        <- destination of django's: python ./manage.py collectstatic

I couldn't get this to work with apache permissions 700, but I am happy with 755. One of the great unsolved mysteries of apache I'm guessing.