Django and Nginx permission issue on Ubuntu

Hello to everyone here on Django Forum. I’m not a new user but have a new account :slight_smile:

Anyway, I’m using Ubuntu. I followed instructions on DigitalOcean to setup Django on Ubuntu with Nginx and Gunicorn.

After I finished with migrations, collectstatic, etc. when I’m opening my website, I see that static files are not loaded.

When I access URL of a static file, I get 403 from Nginx.

I did permissions check and here are the results

/home
755
/home/user1
750
/home/user1/mywebsite
775
/home/user1/mywebsite/static
775
/home/user1/mywebsite/static/myapp/css/core.css
644

I checked some topics here and on the Internet discussing several options how to fix it.
At the end I did change /home/user1 from 750 to 755 and now everything works fine.

My questions is was this a good approach ?
Is there a better way in terms of best practice ?
Did I introduce some security risks now ?
What if I put some bad file in the static folder now - is there a security risk that it will be executed since 755 means execute permission ?

I know this may be the question more for sys admins, but I wanted to hear opinions here how other Django developers are dealing with this problem.

Thank you!

(Someone called for a sys-admin?)

The way we deploy for static files is this:

  • We define a directory under /var/www as the target for static files. (There is absolutely no reason for nginx to have access to the Django project directory.) Usually, it’s named for the project.

  • This directory is owned by the uid and gid used by nginx (default: www-data)

  • The account doing the deployment is made a member of that group.

  • That directory has its permissions set to 2775. (e.g., chmod 2775 /var/www/project) The “2” in the first position sets the “sticky” bit on the directory. This means that all files in that directory will be owned by that group.

  • The Django project has its STATIC_ROOT configured for that directory.

  • We use collectstatic with the --clear parameter.

I’ve never liked the idea of any web server having direct access to /home. Call it an over-abundance of caution, but it’s just not necessary.

For clarification - the “x” permission on directories does not mean “execute”. It’s the permission needed to get a listing of that directory, and is required if you’re going to access any file or directory within that directory.

This is not good. You’ve granted read access to your home directory to every user and process running on your system. And, since most directories in your home are created by default 775, any rogue process or exploit is going to have access to every file in your home directory.

Whether that’s a risk you’re willing to accept is something only you can decide.

@KenWhitesell Thank you very much for very detailed explanation.