What user should own my Python scripts and application directories?

Question

I've been using chown www-data:www-data -R /path/to/my/django-app/ and simply letting my virtualenv's dirs / files be owned by root (since sudo pip install foo implies that by default). This just doesn't feel right though. Is this pretty typical, or, should www-data only own directories that it can upload files to? If I allow root to own everything, my server won't even be able to write .pyc files, or will it? I'm clearly quite new to Unix permissions. What is the secure, proper way to handle this?

Answer 1

The proper way is to compile to bytecode on install so that .pyc files never need to be created on the fly. The rest is basic stuff, like "never use 0777/0666".