[mod_python] Mod_python Security

Deron Meranda deron.meranda at gmail.com
Thu Mar 2 18:16:07 EST 2006


On 3/2/06, Graham Dumpleton <grahamd at dscpl.com.au> wrote:
> Deron Meranda wrote ..
> >    # index.py
> >    _secret_password = open('.secret','r').read().strip()
>
> Stand corrected then. Using a leading dot doesn't protect it on
> UNIX like systems.

You're right, I typed too fast.  The standard Apache configs
protect files starting with ".ht", not just ".".   (there's a <FilesMatch>
in httpd.conf to catch these).  So you could use ".htsecret" perhaps.

> The only safe way is to not put it in the directory in the first place.

Yes, that's safer still.  But the .ht* prefix is pretty safe too, it's a matter
of convienience (especially if you're under an SELinux environment
and you don't want to/know how to set MAC labels).

> BTW, that code wouldn't work anyway, as you use a relative path
> but working directory will not actually be that directory so it will
> not find it.

Yep, again I just typed my example too quick without paying
attention to the details.

Thanks for keeping me honest.  Bottom line though is to never
put the password in any code; keep it someplace else and read
it in dynamically at module load time.
--
Deron Meranda



More information about the Mod_python mailing list