Are you doing this for password security? If so, note that, while not
quite as easy as scraping command line argument, your environment is
avilable via /dev/mem, and is trivially available to any Trojan that an
attacker can convince this shell or any of its children (such as Django or
any manage.py app) to execute.
Note, too, that, unless you are going to type this each time that you start
the server, you have to put it in a file somewhere, be it .bashrc,
.bash_profile, or some script file that you use to start django and the
management apps. And if it's in a file, then it is at least as good to
have it in settings.py .
And if you are willing to type a password, either let settings.py read it
to use to decrypt a file with the full credentials, or use one of the
password manager apps that settings.py can talk to over the D-bus (linux)
or equivalent.
But note that security is hard, and most "simple" home grown solutions,
very likely including my suggestions above, end up by reducing security.
On Thu, Mar 21, 2013 at 10:42 AM, demet8 <dem...@gmail.com> wrote:
> I have a common.py, dev.py, and prod.py for my Django settings files. All
> files inherit from common.py. I want to keep my database passwords,
> database URL, etc stored as environment variables. I have researched the
> topic but I am not sure If I have a clear understanding of it. I am hoping
> I can get a more comprehensive answer via this forum. This is what I have
> thus far:
>
>
> *In your bash shell type:*
>
> export SOMEAPP_DB_USER='someapp'
> export SOMEAPP_DB_PASSWORD='1234'
>
> *In my Django settings file type*:
>
> DATABASE_USER = os.environ.get("SOMEAPP_DB_**USER", ")
> DATABASE_PASSWORD = os.environ.get("SOMEAPP_DB_**PASSWORD", ")
>
> So are my passwords stored in just a terminal session? or are they being
> stored in something like my bash_profile?
>
A means whereby you have to type them to a shell is to type them as above
each time, then run python manage.py runserver, or maybe better, exec
python manage.py runserver (the shell that knows the password goes away as
a process in this case, so maybe you firist start a secondary bash by
typing "bash" at your shell prompt. Note that this DOES NOT help you in
deployment, behind Apache/mod_wsgi, for example, since it would be the
shell that started Apache that would have to have these environment
variables. You can add environment variables in the Apache configuration,
by the way, but that's just another file that knows your password.
>
> Thanks.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
