On 21 June 2010 19:47, Kenneth Gonsalves <law...@au-kbc.org> wrote: > On Monday 21 June 2010 13:39:42 Sam Lai wrote: >> > should be forbidden - one does not want apache to have direct access to >> > the database >> >> Storing a password in plaintext file makes me uneasy, even though it >> is locked away through file-system permissions. >> >> Having spent some time recently in the Windows world, I take >> integrated auth for granted, and it works fine, making sysadmin much >> easier. > > and a single point of entry to all systems for a cracker
I'm not running them all as admin (aka. root) obviously. Integrated auth doesn't mean every user account can access every resource. It's really just delegating an application's authentication system to the operating system (note authentication, not authorization). I fail to see how it is a single-point of entry to all systems. Yes, it means there's one less layer of security, but that extra layer provided by the DBMS isn't security anyway if as that OS user, you can access the password to get past that extra layer of security anyway. I don't believe this is an implementation of defense in depth. >> You do bring up a interesting point though, and I don't know much >> about the architecture of Apache and how holes are exploited when they >> exist, but if the trespasser can execute arbitary code as www-data, >> wouldn't they have access to settings.py anyway? >> > > and just to add to your worries, assuming that you have debug on in your > production system, somewhere deep down in the traceback, you may see your > database username and password! As for the apache question there are experts > in this list who can anwer them. Thanks for mocking what was and still is a serious point. > -- > Regards > Kenneth Gonsalves > Senior Associate > NRC-FOSS at AU-KBC > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-us...@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
