linux用户权限运行Web应用程序的最佳做法为？ [英] Best practices for linux user permissions to run web application as?

问题描述

我在网上看到很多不同的建议，从哪里提供您的网络应用程序，哪些用户运行它等等。

I see a lot of different advice online as to where to serve your web application from, what user to run it as, etc.

例如，已经看到它来自：/ var / www / site，/ srv / www / site，/ home / $ USER / site。

For instance, I've seen it served from: /var/www/site, /srv/www/site, /home/$USER/site.

www-data，$ USER（即我的用户帐户）或专门用于此目的的自定义用户（例如用户uwsgi）。

I've seen the user be www-data, $USER (i.e. my user account), or a custom user specifically created for that purpose (e.g. user uwsgi).

在安全性方面我可以选择最好的方案？

In terms of security, what is the best scheme I could choose?

为了参考，我试图用Nginx和uwsgi部署一个Django站点。

For reference, I'm trying to deploy a Django site with Nginx and uwsgi.

现在，uwsgi以root身份运行，以皇帝模式运行，uid / gid设置为www-data，因此vassals具有与Nginx工作者相同的权限。我从/ home开始服务，但想着要移动。

Right now, uwsgi is running as root in emperor mode, with uid/gid set as www-data, so vassals spawn with the same permissions as Nginx workers. I'm serving from /home, but thinking of moving.

推荐答案

对于位置，选择最适合您的位置。以下是一些注意事项：

For location, choose what seems best to you. Here are some considerations to help out:

• / var 下的位置是文件更改大小，或通常是变量。


• / srv 通常表示与机器上运行的某些服务相关的文件。


• / home通常应为互动用户预留。您可以将系统用户的主目录设置为任何内容。

• Locations under /var are for files which change in size, or generally are "variable."
• /srv generally indicates files related to some service running on the machine.
• /home should usually be reserved for interactive users. You can set a system user's home directory to anything, though.

为了安全起见，您应该尽可能分段。应用程序不应该像Web服务器一样运行，因此它不能被滥用来读取与服务器本身有关的敏感文件（ .htaccess 或其他） 。应用程序的二进制文件（或Django，python源）应该由root拥有，而不需要对应用程序用户的写入权限。

For security, you should segment as much as possible. The app should not run as the same user as the web server, so that it can't be abused to read sensitive files relating to the server itself (.htaccess or whatever). The app's binary files (or for Django, the python source) should be owned by root, without write access to the application user.

这是我的2美分如何设置它：

Here's my 2 cents on how to set it up:

• Django应用程序： / usr / lib / appname / 或 / usr / lib / python / site-packages / appname / 如果已安装。由root，chmod 644拥有。


• 应用程序的文件（例如sqlite数据库文件，FastCGI的Unix套接字，上传的文件存储等）： / var / lib / appname / 。由app-user拥有，chmod 600。


• app-user的shell是 / bin / nologin ，home是的/ var / lib中/应用程序的名字/ 。用户没有配置密码。

• Django app: /usr/lib/appname/ or /usr/lib/python/site-packages/appname/ if installed. Owned by root, chmod 644.
• App's files (e.g. sqlite db file, Unix socket for FastCGI, uploaded file storage, etc): /var/lib/appname/. Owned by app-user, chmod 600.
• app-user's shell is /bin/nologin, home is /var/lib/appname/. User has no configured password.

这篇关于linux用户权限运行Web应用程序的最佳做法为？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！