WebFaction
Community site: login faq

I have a Django application that I collaborate on with 3 other developers, and I would like to set it up so that they have full access to it, but not to my other webapps.

I have created a new SSH user for the project, and followed http://docs.webfaction.com/software/general.html#granting-access-to-specific-users, but am still having trouble isolating the webapp.

There are some problems with permissions:

  • The permissions seem not to apply for new directories made under the webapp's files: I need to re-run the script that uses setfacl every time I create a directory, otherwise the new SSH user does not have permission to write under it.
  • If files are uploaded by that SSH user, my own account does not have permissions to write those files.
  • The new SSH user still does not have the permissions to restart the apache server to reload the code.

Also, I noticed that webapps' apache servers run under my own user account, and therefore have read and write access to my home directory, which can be a huge security risk if there is a bug in the code.

I don't really need to update or work on this webapp from my own personal SSH account, I'd rather move as much of it over to the project-specific account and completely isolate it from other apps and my own user account. What is the best way to do that?

asked 13 Dec '10, 06:14

Mattias
112
accept rate: 0%

edited 13 Dec '10, 06:16


You can't run web applications under users other than your own.

This, however, should not really be needed - all the problems you listed can be solved.

To grant "sticky" permissions, i.e. permissions that are retained through newly created files and folders by the same user, you can use the "d" modifier of the serfacl command, as in:

setfacl -R -m d:u:UserWhoShouldRetainAccess:rwx /path/to/folder

This command should be run by whoever owns the specific directory.

Granting permissions to have Apache restarted won't be possible either. However, with mod_wsgi you could have the Django instance reloaded automatically. See http://code.google.com/p/modwsgi/wiki/ReloadingSourceCode for more info.

All your webapps run under your own account. The opposite (running all our users apps of a common account) is actually the security risk (if someone else's site gets hacked, yours will get hacked as well).

On a side note, to avoid all the permissions hassle, you can simply set up an SVN repository for your developers, and then create a post-commit hook, that will deploy the latest code from the repository to the actual web application (and optionally - restart Apache). In this way you will not have to worry about SSH access and permissions at all.

permanent link

answered 13 Dec '10, 06:40

tie
1.4k13
accept rate: 44%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×225
×64
×37
×25
×17

question asked: 13 Dec '10, 06:14

question was seen: 4,319 times

last updated: 13 Dec '10, 06:40

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2019 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM