Django and Nginx permission issue on Ubuntu

(Someone called for a sys-admin?)

The way we deploy for static files is this:

  • We define a directory under /var/www as the target for static files. (There is absolutely no reason for nginx to have access to the Django project directory.) Usually, it’s named for the project.

  • This directory is owned by the uid and gid used by nginx (default: www-data)

  • The account doing the deployment is made a member of that group.

  • That directory has its permissions set to 2775. (e.g., chmod 2775 /var/www/project) The “2” in the first position sets the “sticky” bit on the directory. This means that all files in that directory will be owned by that group.

  • The Django project has its STATIC_ROOT configured for that directory.

  • We use collectstatic with the --clear parameter.

I’ve never liked the idea of any web server having direct access to /home. Call it an over-abundance of caution, but it’s just not necessary.

For clarification - the “x” permission on directories does not mean “execute”. It’s the permission needed to get a listing of that directory, and is required if you’re going to access any file or directory within that directory.