I'm currently in the process of upgrading our production machines, and while I'm at it I'm changing the way some of the permissions work.
I'm nearly done, but I'm stuck on the static files portion (the last bit).
Currently, the static files are hosted on two other machines that are NFS mounted to the app servers. Currently, a collectstatic sends the new static files, where they are served up the first time to our CDN, after which they are cached. All files on this box are owned by ubuntu:ubuntu (which is a sudoer). You can't hit these app-servers directly on port 80 or 443, you always need to go through cloudfront, which forwards to the static file servers on a need basis.
I'm also implementing django-pipeline and therefore the server needs write permission to this area. The developers need write permission as well.
I currently set up the code (initially) to look something like www-data:developers where the dev's are all in the group developers. However, www-data itself needs write permission to the static files location, but I don't want it to have write permission elsewhere.
So, my current thought is to create a new group called appserver or whatever, and add www-data as well as all of the developers to it. chown that folder to www-data:appservers and chmod 0770.
Is this the best way to do this?
