On 21 June 2010 20:16, Kenneth Gonsalves <[email protected]> wrote: > On Monday 21 June 2010 15:37:50 Sam Lai wrote: >> >> You do bring up a interesting point though, and I don't know much >> >> about the architecture of Apache and how holes are exploited when they >> >> exist, but if the trespasser can execute arbitary code as www-data, >> >> wouldn't they have access to settings.py anyway? >> > >> > and just to add to your worries, assuming that you have debug on in your >> > production system, somewhere deep down in the traceback, you may see your >> > database username and password! As for the apache question there are >> > experts in this list who can anwer them. >> >> Thanks for mocking what was and still is a serious point. >> > > I am sorry if you feel I was mocking - it was not my intention. And the point > you were bringing up about Apache is a vast subject and I am not competent to > answer it. As for the debug thing, it is just a warning not to run debug in > production.
Ah I must've interpreted it incorrectly, I apologise. I'm definitely no expert on *nix and Apache security, so I'd appreciate it if anyone could clarify as well. >From the PGSQL docs [1], "On systems supporting SO_PEERCRED requests for Unix-domain sockets (currently Linux, FreeBSD, NetBSD, OpenBSD, BSD/OS, and Solaris), ident authentication can also be applied to local connections. In this case, no security risk is added by using ident authentication; indeed it is a preferable choice for local connections on such systems." http://www.postgresql.org/docs/current/static/auth-methods.html So it seems the postgresql people think it is ok, but I'm not sure once you add in Apache and things like Django on top of it. > -- > Regards > Kenneth Gonsalves > Senior Associate > NRC-FOSS at AU-KBC > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
