On 11/25/05, Adrian Holovaty <[EMAIL PROTECTED]> wrote: > One suggestion: The writeup should encourage people to chown their > settings file so that it's only readable by their own user account and > the Web server, as a security precaution. I apologize in advance if > you did indeed mentioned this, but I didn't see it during my cursory > read.
I didn't mention anything about it, but I'm looking into it now. As-is, the instructions leave you with your Django project's code and settings in /home/username/django-projects/, and users on TextDrive's shared servers can't browse into each other's homes. It's possible to create additional users with SFTP access, but they get their own homes under /home/username/homes/ and I'm fairly certain that they're jailed into that directory. I'll investigate it a bit more to see exactly what the security model is for TextDrive's shared servers, but probably I'll add a line about locking down the settings file anyway, just because it never hurts to be extra paranoid. -- "May the forces of evil become confused on the way to your house." -- George Carlin
