On Monday 21 June 2010 13:39:42 Sam Lai wrote: > > should be forbidden - one does not want apache to have direct access to > > the database > > Storing a password in plaintext file makes me uneasy, even though it > is locked away through file-system permissions. > > Having spent some time recently in the Windows world, I take > integrated auth for granted, and it works fine, making sysadmin much > easier.
and a single point of entry to all systems for a cracker > > You do bring up a interesting point though, and I don't know much > about the architecture of Apache and how holes are exploited when they > exist, but if the trespasser can execute arbitary code as www-data, > wouldn't they have access to settings.py anyway? > and just to add to your worries, assuming that you have debug on in your production system, somewhere deep down in the traceback, you may see your database username and password! As for the apache question there are experts in this list who can anwer them. -- Regards Kenneth Gonsalves Senior Associate NRC-FOSS at AU-KBC -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
