Thanks! I think that answered my question. On Feb 13, 6:33 am, Graham Dumpleton <[email protected]> wrote: > On 12 February 2010 23:49, Rishi Ramraj <[email protected]> wrote: > > > While not directly related to wsgi, I presume you all have this > > problem; how do you protect sensitive configuration information like > > database connection strings when using WSGI? The best method I've > > found to date is to put the sensitive information in my .wsgi file. > > Putting sensitive information in the WSGI script file is usually a bad > idea. This is because in order for mod_wsgi to be able to use it as a > WSGI application entry point, you have had to tell Apache that it can > serve files from that directory. Having done that, if you stuff up the > Apache configuration and lots the mapping that says the file should be > handled by mod_wsgi instead of as a static file, then the raw WSGI > script could be download by a client and your sensitive information > along with it. > > > Then set the file level permissions so that my web server is the only > > user that can execute it (all other users can't read write or > > execute). Has anyone found any (better) alternatives? > > If you are on a UNIX system I'd suggest you use daemon mode and > delegate each distinct application to a separate daemon process group. > At the minimum run each as a separate user (different to Apache user). > The Apache user only needs to be able to read the directory containing > the WSGI script file, all other files could be owned by and readable > only to the special user used for that daemon process group. > > If you want to go to a further level of paranoia, mod_wsgi 3.X > introduced a feature which allowed one to chroot individual daemon > process groups. Thus each WSGI application could be in a chroot and no > way it could even see files for another application. You obviously > still have to protect against normal users on the system, but this is > where using distinct users for each daemon process group helps as can > then lock down file system access. > > Graham
-- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
