Best practices for linux user permissions to run web application as?
For location, choose what seems best to you. Here are some considerations to help out:
- Locations under
/var
are for files which change in size, or generally are "variable." /srv
generally indicates files related to some service running on the machine./home
should usually be reserved for interactive users. You can set a system user's home directory to anything, though.
For security, you should segment as much as possible. The app should not run as the same user as the web server, so that it can't be abused to read sensitive files relating to the server itself (.htaccess
or whatever). The app's binary files (or for Django, the python source) should be owned by root, without write access to the application user.
Here's my 2 cents on how to set it up:
- Django app:
/usr/lib/appname/
or/usr/lib/python/site-packages/appname/
if installed. Owned by root, chmod 644. - App's files (e.g. sqlite db file, Unix socket for FastCGI, uploaded file storage, etc):
/var/lib/appname/
. Owned by app-user, chmod 600. - app-user's shell is
/bin/nologin
, home is/var/lib/appname/
. User has no configured password.