> > should be forbidden - one does not want apache to have direct access to
> > the database
>
> Storing a password in plaintext file makes me uneasy, even though it
> is locked away through file-system permissions.
>
> Having spent some time recently in the Windows world, I take
> integrated auth for granted, and it works fine, making sysadmin much
> easier.
and a single point of entry to all systems for a cracker
>
> You do bring up a interesting point though, and I don't know much
> about the architecture of Apache and how holes are exploited when they
> exist, but if the trespasser can execute arbitary code as www-data,
> wouldn't they have access to settings.py anyway?
>
and just to add to your worries, assuming that you have debug on in your
production system, somewhere deep down in the traceback, you may see your
database username and password! As for the apache question there are experts
in this list who can anwer them.
--
Regards
Kenneth Gonsalves
Senior Associate
NRC-FOSS at AU-KBC
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment