{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 The star\" 的问题《Linux/Python: How can I hide sensitive information》','https://www.manongdao.com/q-971976.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I've got a Django project running on an Ubuntu server. There are other developers who have the ability to ssh into the box and look at files. I want to make it so that the mysql credentials and api keys in settings.py are maybe separated into a different file that's only viewable by the root user, but also usable by the django project to run.
My previous approach was to make the passwords file only accesible to root:root with chmod 600, but my settings.py throws an ImportError when it tries to import the password file's variables. I read about setuid, but that doesn't seem very secure at all. What's a good approach for what I'm trying to do? Thanks.
That's exactly what dj-database-url was created for!
Using this package you can store DB information in your user's environment variable. anyone who login from different account won't have access to db details
How to use?
Configure your database in settings.py from
DATABASE_URL(default is optional):Then in your shell
This will run the server with the connection you specified, if
DATABASE_URLis not defined then assume the connection passed by the optionaldefaultparameter.ideally you would put
inside your .bashrc file inside your home directory so that only you can read it
I'd place the password file in a directory with 600 permissions owned by the Django user. The Django user would be able to do what it needed to and nobody else would even be able to look in the directory (except root and Django)
Another thing you could do would be to store it in a database and set it so that the root user and the Django user in the DB have unique passwords, that way only the person with those passwords could access it. IE system root is no longer the same as DB root.
Have a look at filesystem ACLs, setfacl manpage.
You can have the files in questioned owned and readable only by the root user, but also allow whatever user the Django code is running as (your user name, apache user, etc) to have read access. Filesystem ACLs allow much more granular access control than standard owner/group/other file permissions
This is discussed in the SplitSettings page on
code.djangoproject.com. They have several suggestions such aswhere
.gallery-secretis limited to read by django user only (root still gets its way, of course). I prefer an environment variable such asMYAPP_OPTIONS=/etc/opt/myapp/used withos.path.expandvarso that the user account doesn't need a home directory and so that developers can point to test credentials easily.