0
I have a Django application, that is served by uwsgi through a reverse-proxy nginx.
Plus, I want uwsgi to be started via systemd (systemctl enable uwsgi
).
I used pipenv to set up the virtual environment and when I configure uwsgi to drop privileges to e.g. the www-data
user, it can't find the virtual environment anymore in which uwsgi is installed (alongside Django and other packages).
So currently, uwsgi is running as a normal user with a /bin/bash
login shell, defined in /etc/passwd
.
From a security-perspective, this is bad, right? Or is the reverse-proxy via nginx (socket-file instead of shared port) good enough?
On the other hand, the www-data
user has no shell (in /etc/passwd
), so I can't use it to create the virtualenv.
Is there something, that I can do, to make this more secure, using virtual environments? Or do I have to globally install django/uwsgi, to make this run securely?