What are the main guidelines to setting up a user account on a Linux machine for a web app?

In my case it is a Rails application that does file management.

First thing I can think of is to limit access rights to only the directories it needs. But how exactly should I go about this? Setup rights through a user group or a through the user's ownership of those directories. I have very little experience in user rights management.

What else do I need to consider? I've heard of ACL's and SELinux, do I need to look into any of these to guaranty decent security for my simple web app?

Any advice about this and anything not mentioned welcomed, Thanks, Max.

I will be using Ubuntu.

You don't really need to go crazy, you just want to run your web app as a unique user that's not part of any preexisting group. Then as long as your system doesn't give inappropriate write access (or read access) to miscellaneous user level accounts, you're good. You could try for chroot jailing if you want it more hardcore. There's various docs out there if you google "rails chroot" or "apache chroot jail" (not sure if you're fronting with Apache or not).

The thing you absolutely must do, however, if you're doing file management, is sanitize your inputs (see http://guides.rubyonrails.org/security.html for how). Otherwise people can malform inputs to hit files in unexpected locations. (chroot helps that not be a system directory, but still lets users of yoru app jack with other users unless you do this).

Ernest Mueller
