2009/12/14 Damjan <[email protected]>: >> I am tinkering with mod_wsgi trying to adress some project >> requirements we have. >> >> One issue we are facing can be summarized as follow : >> * At startup, a wsgi application needs to read some sensitive data >> out of the file system . >> * Ideally, to match security best practice the file to be parsed >> would be readable by root only. > > What's the difference if the file is only readable by "a-special-user" > only??
Good point. Why couldn't you run application in daemon mode where a special user account is used that wouldn't be used for anything else and thus file only readable to that user. Only time this might not work is if you are somehow allowing third party user code to be run by application and so would still be able to read that file. But then if configuration in memory after being inherited from parent process, so could technically be found, albeit a lot harder. BTW, realised that the .pth hack will have limitations as not easy to predict order they are processed. So, okay for very simple stuff, but preloading something like TurboGears may be hard because not all .pth files will have been processed and so sys.path may not have been completely set up such that modules can be found when imported. Graham -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
