Loading...

modwsgi@googlegroups.com

[Prev] Thread [Next]  |  [Prev] Date [Next]

[modwsgi] Re: Securing database connection strings. Rishi Ramraj Fri Feb 12 12:00:26 2010

I wasn't conscious that I was making that assumption until you pointed
it out :) I'm certain that we will be running with a dedicated server,
but I'll be sure to make it a hard requirement. Thanks!

I think the approach that .NET uses is to encrypt a portion of an XML
file and compile the private key into their binaries. That approach is
not valid in our case as we have flat files that are easily accessible
by potentially anyone in the system.

Still, I'm curious; can an an asymmetric key pattern be used to solve
this problem? In the .NET case, a separation between the database
strings and file is artificially created in which case the running
code verifies its identity to the XML file using its private key.
Assuming that someone couldn't de-compile the binaries, you can be
sure that only the running code would have access to the connection
strings. In our case that assumption is invalid because python code is
interpreted (or at least, not thoroughly compiled).

On Feb 12, 12:25 pm, Jason Garber <[EMAIL PROTECTED]> wrote:
> It depends on your hosting situation.  If another user has access to running
> scripts under the web server user, then it is trivial for them to write a
> script which will read your settings file.
>
> The only *really* safe bet in my opinion, is to get on a dedicated server
> (or vps).  Food for thought.
>
> On Fri, Feb 12, 2010 at 9:50 AM, Gunnlaugur Thor Briem <[EMAIL PROTECTED]
>
> > wrote:
> > On Fri, Feb 12, 2010 at 12:49 PM, Rishi Ramraj <
> > [EMAIL PROTECTED]> wrote:
>
> >> While not directly related to wsgi, I presume you all have this
> >> problem; how do you protect sensitive configuration information like
> >> database connection strings when using WSGI? The best method I've
> >> found to date is to put the sensitive information in my .wsgi file.
> >> Then set the file level permissions so that my web server is the only
> >> user that can execute it (all other users can't read write or
> >> execute). Has anyone found any (better) alternatives?
>
> > I put the DB connection info in another file like .dbconn and load that
> > from the wsgi file (or Django settings.py); that way only this little file
> > needs securing, and I can check all my code into version control without
> > including the connection string.
>
> >     - Gulli
>
> >  --
> > You received this message because you are subscribed to the Google Groups
> > "modwsgi" group.
> > To post to this group, send email to [EMAIL PROTECTED]
> > To unsubscribe from this group, send email to
> > [EMAIL PROTECTED]<[EMAIL PROTECTED]>
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/modwsgi?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
"modwsgi" group.
To post to this group, send email to [EMAIL PROTECTED]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/modwsgi?hl=en.