On Fri, Mar 9, 2012 at 4:43 PM, [email protected] <[email protected]> wrote: > My apache2 server on linux is running as www-data. My project is in a > standard user account. apache2 can't access files on the user account > unless I change the user on the user account directory to www-data. > But when I do that, I can't ssh to the account. What is the best way > to set up the account so that apache can have access and I can ssh? > Thks >
Which files? Code files, or media files? You don't want media files writeable by www-data, as this would mean that any attacker who exploits your web server can now overwrite your media files. Having read access to these files should be enough, and you should have that by default. Similarly, your project code files should not even be writable by apache, as this would allow an attacker to overwrite them as well. Since your project code files are executed by the web server, an attacker who can overwrite a specific file now has a remote code exploit. I would go one step further, and not even allow apache to read your project code. You can do this by running your django app over fastcgi. Run your fastcgi app on a socket, and configure apache to use that socket. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
