1

I set django's settings.py file to chmod 600 to keep felonious folks from spying my database connection info, but on import python compiles this file and writes out settings.pyc as mode 644. It doesn't take much sleuthing for the bad guys to get the info they need from this compiled version. I fear my blog entries are in grave danger.

Beyond the obvious os.chmod, what techniques folks use to keep your compiled python secure on disk?

Improve this question
4
  • 4
    Who are "the bad guys" that have access to your server? Please provide names. How did they get past the OS security to read these directories in the first place? Who granted them access? Please provide names. Commented Nov 28, 2009 at 23:07
  • 1
    umask (and +1 to S.Lott) Commented Nov 28, 2009 at 23:13
  • Tile permissions are OS security, and they're getting past it because they're being set incorrectly. I'd consider this a bug: the pyc files should, when possible, have the same permissions as the source file they correspond to. It's easy enough to fix externally, though. Rather than changing the umask (which may be brittle, eg. if you import modules from unit tests, or when debugging), I'd change permissions on the directory containing the files. Commented Nov 29, 2009 at 3:02
  • (Uh, "file".) (... and this is padding because of SO's dumb comment minimum length) Commented Nov 29, 2009 at 5:33

2 Answers 2

Reset to default
6

You can set the umask directly in python. The interpreter uses this umask to create the pyc files:

import os os.umask(077) # Only keep rights for owner import test

Verify the test.pyc created:

$> ls -l test.py* -rw-r--r-- 1 shad users 0 2009-11-29 00:15 test.py -rw------- 1 shad users 94 2009-11-29 00:15 test.pyc
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

sweet. i did not know of this. just what i was looking for
1

To add a little bit to S.Lott's comment: The code portion of your blog should be stored in a location where it can be executed (e.g. via a web request), but not read directly. Any reasonable web server providing CGI support will allow this to be set up.

Improve this answer

4 Comments

yeah, it's more of ppl with shell access to the machine being able to peek at the pyc files if they choose. i probably could have worded the question better. thanks!
@mtvee: Who are these mystrious "ppl with shell access"? Please define "ppl". Please provide a list of names. It's so hard to talk about security when it's just random hand-waving. Who's access do you need to control? Please provide a list to your sysadmins.
i don't know exactly who they are, that's the crazy thing, but I know they are in there, sniffing around, looking at my crontabs and sifting through the log files. sometimes, late at night, when i do a quick ps ax | grep python i see one, but a flash, and when i look again they are gone. they are probably in your systems too. vigilance my friend, vigilance and chmod 600.
@mtvee: If you have logs, then you have names. Fix that. If you don't have logs, then, perhaps you don't actually have a security incident. Securing your .pyc files is silly when confronted with wholesale compromise. Find another hosting service.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.