I wasn't conscious that I was making that assumption until you pointed it out :) I'm certain that we will be running with a dedicated server, but I'll be sure to make it a hard requirement. Thanks!
I think the approach that .NET uses is to encrypt a portion of an XML file and compile the private key into their binaries. That approach is not valid in our case as we have flat files that are easily accessible by potentially anyone in the system. Still, I'm curious; can an an asymmetric key pattern be used to solve this problem? In the .NET case, a separation between the database strings and file is artificially created in which case the running code verifies its identity to the XML file using its private key. Assuming that someone couldn't de-compile the binaries, you can be sure that only the running code would have access to the connection strings. In our case that assumption is invalid because python code is interpreted (or at least, not thoroughly compiled). On Feb 12, 12:25 pm, Jason Garber <[email protected]> wrote: > It depends on your hosting situation. If another user has access to running > scripts under the web server user, then it is trivial for them to write a > script which will read your settings file. > > The only *really* safe bet in my opinion, is to get on a dedicated server > (or vps). Food for thought. > > On Fri, Feb 12, 2010 at 9:50 AM, Gunnlaugur Thor Briem <[email protected] > > > wrote: > > On Fri, Feb 12, 2010 at 12:49 PM, Rishi Ramraj < > > [email protected]> wrote: > > >> While not directly related to wsgi, I presume you all have this > >> problem; how do you protect sensitive configuration information like > >> database connection strings when using WSGI? The best method I've > >> found to date is to put the sensitive information in my .wsgi file. > >> Then set the file level permissions so that my web server is the only > >> user that can execute it (all other users can't read write or > >> execute). Has anyone found any (better) alternatives? > > > I put the DB connection info in another file like .dbconn and load that > > from the wsgi file (or Django settings.py); that way only this little file > > needs securing, and I can check all my code into version control without > > including the connection string. > > > - Gulli > > > -- > > You received this message because you are subscribed to the Google Groups > > "modwsgi" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<modwsgi%[email protected]> > > . > > For more options, visit this group at > >http://groups.google.com/group/modwsgi?hl=en. -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
