Storing secure keys on Ubuntu web server
Posted
by
Sencha
on Server Fault
See other posts from Server Fault
or by Sencha
Published on 2012-11-29T18:19:48Z
Indexed on
2012/12/13
17:05 UTC
Read the original article
Hit count: 269
I'm running Ubuntu 12.04 Precise with a DUNG (Django, Unix, Nginx & Gunicorn) environment and my app (as well as various config files) is stored in a python virtual environment inside /srv
, which the www-data
user has access to.
The nginx & gunicorn processes are all run as www-data
.
My web app requires secure credentials which I am storing in an environment.sh
file. This file contains various exports and is run using source
before the gunicorn processes execute.
My concern is the location of the environment.sh
file and it's permissions. Will it be okay storing this file inside the /srv
folder where the www-data
has access to it? Or should it be stored and owned by root somewhere else such as /var/myapp/environment.sh
?
Also, regarding the www-data
user, if any of my web processes (which are run as www-data
) are compromised and someone gains access to them, does that mean that the user could potentially read any file on the system, even if they can't write? Including my secure keys?
© Server Fault or respective owner