On 12 February 2010 23:49, Rishi Ramraj <[email protected]> wrote: > While not directly related to wsgi, I presume you all have this > problem; how do you protect sensitive configuration information like > database connection strings when using WSGI? The best method I've > found to date is to put the sensitive information in my .wsgi file.
Putting sensitive information in the WSGI script file is usually a bad idea. This is because in order for mod_wsgi to be able to use it as a WSGI application entry point, you have had to tell Apache that it can serve files from that directory. Having done that, if you stuff up the Apache configuration and lots the mapping that says the file should be handled by mod_wsgi instead of as a static file, then the raw WSGI script could be download by a client and your sensitive information along with it. > Then set the file level permissions so that my web server is the only > user that can execute it (all other users can't read write or > execute). Has anyone found any (better) alternatives? If you are on a UNIX system I'd suggest you use daemon mode and delegate each distinct application to a separate daemon process group. At the minimum run each as a separate user (different to Apache user). The Apache user only needs to be able to read the directory containing the WSGI script file, all other files could be owned by and readable only to the special user used for that daemon process group. If you want to go to a further level of paranoia, mod_wsgi 3.X introduced a feature which allowed one to chroot individual daemon process groups. Thus each WSGI application could be in a chroot and no way it could even see files for another application. You obviously still have to protect against normal users on the system, but this is where using distinct users for each daemon process group helps as can then lock down file system access. Graham -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
