[mod_python] Mod_python Security

Gustavo Córdova Avila gustavo.cordova at q-voz.com
Thu Mar 2 17:20:21 EST 2006


Graham Dumpleton wrote:
> Deron Meranda wrote ..
>   
>> On 3/2/06, Nicolas Lehuen <nicolas at lehuen.com> wrote:
>>     
>>> For example :
>>>
>>> # index.py
>>> # BAD !
>>> secret_password = "foobar"
>>>       
>> Or even better yet, if your code must know about secret passwords
>> (which is common for opening database connections, etc.), use
>> something like,
>>
>>    # index.py
>>    _secret_password = open('.secret','r').read().strip()
>>
>> and then store the password itself in the file ".secret".
>>
>> The leading dot in the filename will insure that Apache won't serve
>> that file up with the default apache config.  [Somebody correct me
>> if this is different for Windows].
>>     
> Stand corrected then. Using a leading dot doesn't protect it on
> UNIX like systems. The only safe way is to not put it in the directory
> in the first place.
>
> BTW, that code wouldn't work anyway, as you use a relative path
> but working directory will not actually be that directory so it will
> not find it.
>
> Graham
>   
*IF* you're going to use Apache's default configuration, all files which 
start with ".ht" are disallowed from all, so, the database password file 
could be:

    .ht_dbpasswd

and it'd be inaccessible to all clients, but locally available.

-gus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20060302/429e67b6/attachment.html


More information about the Mod_python mailing list