[mod_python] Secure storage of sensitive variables, such as passwords

Jorey Bump list at joreybump.com
Wed Nov 24 12:47:58 EST 2004 

I'd like to know if anyone has any recommendations for securely storing 
information such as db passwords. I don't like to include login 
information anywhere within the DocumentRoot, in case an interpreter 
failure or server misconfiguration exposes the code. To this end, I'm 
using the following system:

1. I create a different user for each VirtualHost. Within the user's 
home directory, I create a site directory that serves as the DocumentRoot.

2. I then create a Python directory in the home directory, and add it to 
the VirtualHost's PYTHONPATH using:

  PythonPath "sys.path + ['/var/www/virtual/user/Python']"

Or one could do this within the script itself:

  sys.path.append('/var/www/virtual/user/Python')

This gives me a safe place outside of the DocumentRoot to store settings 
in modules, without placing them in the default PYTHONPATH of every 
other user on the system.

3. To store settings, I create a package structure:

  cd ~/Python
  mkdir Conf
  cd Conf
  touch __init__.py

This allows me to create files with settings specific to an application 
and import them. So, for application foo, I would create foo.py here and 
list the values I need, or even wrap them up neatly in a function:

  # ~/Python/Conf/foo.py
  import MySQLdb

  bees = 0
  eric = 0.5

  def get_dbh():
      """
      Set up db connection and return handle.
      """
      dbhost = "localhost"
      dbuser = "cyril"
      dbpwd  = "ladidi123"
      dbname = "menagerie"
      dbh = MySQLdb.connect(dbhost, dbuser, dbpwd, dbname)
      return dbh

Then, in my mod_python application, I import the values:

  # ~/site/foo.py
  from Conf.foo import *

  bees += eric
  dbh = get_dbh()
  # db handle is now ready to use for queries/updates

I find this approach a lot simpler than using a configuration parser, 
especially because there is no new syntax to learn and the resources are 
immediately available to the application. Creating a package to hold the 
settings also helps to avoid namespace clashes.

The usual caveats apply here as they do to any embedded interpreter, 
with the main concern being that other system users now theoretically 
have access to the code, which must be readable by the user apache runs 
as. The main payoff is that the application is a bit more resistant to 
remote exploits, because the code is stored outside the DocumentRoot.

I'd be interested in how others handle sensitive information or in any 
suggestions for hardening the approach I've outlined above. I generally 
use Publisher in a prefork environment, if that helps.

More information about the Mod_python mailing list