Django and File Permissions: Best Practices?

Question

I am integrating "legacy" code with Django, and have problems when the process executing Django must write to legacy code directories where it lacks write permissions. (The legacy code is a Python backend to a Tkinter GUI, which I'm repurposing to a browser-based UI.)

I could:

• Make the legacy directory writeable to all, but this seems like bad practice.
• Find the userid of the Django execution process, assign that to a group and give that group write permissions to the whole legacy directory. (I suspect this is the user running apache.) This too seems bad -- if that user is compromised,the whole directory is at risk.
• Isolate the "write" calls in the code, ensure they all go somewhere in a designated subdirectory tree, and make that tree world (or Django user group) writeable. This seems the least risky, but also the most work.

Any other ideas? Am I missing some obvious fix? I'm completely new to this.

Answer 1

I'd go with option number 2. I don't think your django user is any more likely to get compromised than your Tkinter user. If there's something else under apache that you're worried about, run it under a separate apache with the right user.