DigitalOcean

Question

Suggested Directory and File Permissions

I have Ubuntu 20.04 server with Django applications, Nginx and Gunicorn. I was wondering what is the best and most secure practice for directory permissions for my website and apps? I have researched and read 755 for directories and 644 for files. Would this be the best practice for all directories and files for my Django apps and Nginx?

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys
Site Moderator
Site Moderator badge
June 10, 2022
Accepted Answer

Hi @mpasquali,

Usually, yes folders generally do tend to have 755 and files 644 permissions. Those are the default standards. Having said that some files and folders have different perms, it really does depend on the case. Usually, config files might be with perms 400 and some folders might have 600 permissions. Having said that, thread carefully as some permissions break the functionality of the App.

KFSys
Site Moderator
Site Moderator badge
October 26, 2023

When setting up permissions for a Django application with Nginx and Gunicorn, it’s crucial to strike a balance between usability and security. The general permissions you’ve mentioned (755 for directories and 644 for files) are a common starting point, but let’s get into more detail.

Here’s a breakdown:

  1. User & Group:

    • You should run your Gunicorn process as a non-root user. Typically, people create a special user for this, e.g., www-data or django.
    • The same user should own the Django project files.
    • Nginx will typically run as the www-data user on most systems, but this can vary.

  2. Django Project Directory & Files:

    • Directories: 755 (drwxr-xr-x). This allows the owner to write to the directory while others can only read/traverse it.
    • Files: 644 (-rw-r--r--). This allows the owner to write to the file, while others can only read it.
    • manage.py: Should be given execute permission (i.e., 755) if you want to run it directly without using python manage.py ....

  3. SECRET_KEY & Sensitive Information:

    • If you store secrets in your settings (which isn’t ideal), make sure that the settings file is not world-readable to prevent unintentional information leaks.
    • A better approach would be to use environment variables or a secret manager to handle sensitive data.

  4. Static & Media Directories:

    • static/: This directory will be read by Nginx to serve static files directly. It should be readable by the www-data user or whatever user Nginx runs as.
    • media/: If users upload files, this directory should be writable by the Gunicorn/Django user.

  5. Database Files (if using SQLite):

    • Should be owned by the Django/Gunicorn user and typically have 640 permissions (-rw-r-----). This is to ensure that the web server (like Nginx) cannot write to the database.

  6. Virtual Environment & Dependencies:

    • If your Django application uses a virtual environment (as it typically should), the directory and files of the virtual environment should be readable (and executable for binaries) by the user running the Gunicorn process.

  7. Nginx Configuration Files:

    • Main configuration files (nginx.conf and others in /etc/nginx/): Should generally be owned by root and not writable by other users. Permissions like 644 are common.

  8. Logs:

    • Logs (like Gunicorn or Django logs) should be writable by the user running the application and readable by those who need access. Be cautious about making logs readable to all users, as they can contain sensitive information.

  9. Socket Files:

    • If you’re using Unix sockets for communication between Nginx and Gunicorn, ensure that both the Gunicorn and Nginx processes can access the socket. This might require setting up the right user/group and permission.

Other Tips:

  • Always keep backups before changing permissions and be especially careful with recursive permission changes.
  • Review permissions regularly, especially after major changes or updates.
  • Minimize the number of places with write permissions. If an attacker gains access, write permissions can be especially harmful.

These are general guidelines, and the specific needs can vary based on the application, plugins, and additional services you might be using. Always refer to the documentation of each component and consider the principle of least privilege when setting permissions.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Sign up

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Learn more

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Learn more

Featured on Community
Kubernetes CourseLearn Python 3Machine Learning in PythonGetting started with GoIntro to Kubernetes
DigitalOcean Products
CloudwaysVirtual MachinesManaged DatabasesManaged KubernetesBlock StorageObject StorageMarketplaceVPCLoad Balancers
Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel
© 2024 DigitalOcean, LLC.Sitemap.