Which user account should be used for WSGIDaemonProcess?

Question

I have some Django sites deployed using Apache2 and mod_wsgi. When configuring the WSGIDaemonProcess directive, most tutorials (including the official documentation) suggest running the WSGI process as the user in whose home directory the code resides. For example:

WSGIScriptAlias / /home/joe/sites/example.com/mod_wsgi-handler.wsgi
WSGIDaemonProcess example.com user=joe group=joe processes=2 threads=25

However, I wonder if it is really wise to run the wsgi daemon process as the same user (with its attendant privileges) which develops the code. Should I set up a service account whose only privilege is read-only access to the code in order to have better security? Or are my concerns overblown?

Answer 1

It is a good general practice to run your services with unprivileged accounts whenever possible. For processes that need root-only resources (ports < 1024, accessing certain files) the process should acquire them and then immediately drop privileges.

A few other tips.. From your phrase "run the ... process as the same user ... which develops the code" it sounds a bit like the developers are writing code on the production hosts. Are you using some form of source change control system (e.g. git, svn)? Developers should code on dev-only machines and commit to a shared repository, from which you can release stable builds. Deploy code from the repository after it is integration tested, and ideally package it for installation (DEB, RPM, EGG, etc). This will reduce errors slipping into production, make releases repeatable, avoid code loss if a host drops dead, and so on.

Answer 2

You'd better do chown www-user:www-data -R dirname of your code(Or apache:apache). The most important data on your pc is your, user data, so moving services away from your user is better.

Answer 3

The reason that you find it said that user should be that of the home directory is because on many systems the home directory has permissions of 'drwx------' which means that only the user can read stuff in there. So, you basically have no choice if you are going to put stuff in a home directory of a user.

You would also find it suggested that it is therefore better not to have it in your home directory at all and instead place it where other web server stuff is, but not under the DocumentRoot of any virtual server or the main server. By doing that, the directory restrictions aren't going to apply and Apache user could read it.

Overall the best idea, especially if the box is also your own development machine, is to do a separate deploy of code into this separate area, making code files non writable and then running it all as some separate dedicated non privileged user.