4

I'm writing a web application in Python (on Apache server on a Linux system) that needs to connect to a Postgres database. It therefore needs a valid password for the database server. It seems rather unsatisfactory to hard code the password in my Python files.

I did wonder about using a .pgpass file, but it would need to belong to the www-data user, right? By default, there is no /home/www-data directory, which is where I would have expected to store the .pgpass file. Can I just create such a directory and store the .pgpass file there? And if not, then what is the "correct" way to enable my Python scripts to connect to the database?

Improve this question
4
  • Home directories are not always /home/username -- run gawk -F: '($1 ~/www-data/) {print $6}' /etc/passwd to find out where it is. Commented Apr 9, 2013 at 7:32
  • Thanks! Turns out the home directory is /var/www, which kind of makes sense, but since that's where the server opens up its files to the world, I'm guessing that's probably not a good place to store a .pgpass file, right? Commented Apr 9, 2013 at 7:55
  • 1
    Django stores DB passwords in python config files, I don't see why it can be unsatisfactory. Well, it's not really hard coded though. Commented Apr 9, 2013 at 8:05
  • 1
    Do you mean something like this? docs.python.org/3/library/configparser.html Commented Apr 9, 2013 at 9:21

2 Answers 2

Reset to default
1

No matter what approach you use, other apps running as www-data will be able to read your password and log in as you to the database. Using peer auth won't help you out, it'll still trust all apps running under www-data.

If you want your application to be able to isolate its data from other databases you'll need to run it as a separate user ID. The main approaches with this are:

  • Use the apache suexec module to run scripts as a separate user;
  • Use fast-cgi (fcgi) or scgi to run the cgi as a different user; or
  • Have the app run its own minimal HTTP server and have Apache reverse proxy for it

Of these, by far the best option is usually to use scgi/fcgi. It lets you easily run your app as a different unix user but avoids the complexity and overhead of reverse proxying.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

That sounds sensible. Does it work with mod-wsgi, or is that a completely different way of doing things?
@AdamJacobs Yes, or you can use it via fcgi using the wsgi to fcgi interface.
Apache/mod_wsgi daemon mode also allows you to run code as a different user.
1

Install the application and its config files in its own directory different from the static files directory and only readable by the application user.

Set another user to run the application and use the WSGIDaemonProcess directive.

All of that and much more is clearly described in the mod_wsgi site, in the Quick Configuration Guide, Configuration Guidelines and Configuration Directives

Improve this answer

2 Comments

Thanks, that does indeed look useful. Though I'm not sure I completely agree with your assertion that it's "clearly described". Looks like something I'd probably spend a couple of days trying to get my head round before I ever got it working. But perhaps it would be worth it, as it does look like a pretty good way of keeping things secure.
@Adam Start with the simplest "hello word" and go step by step. That way you get all problems as they happen in instead of going the whole way and get lost. The patterns described there are very well established. If you don't have much Apache experience and you try your own way you will probably end with multiple points of failure.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.