Securely Store Credentials for a Web Application

Question

We are running a web application in python using wsgi with apache2, and must submit to a penetration test. The testers will be exploring the potential for damage if the attackers gain shell access as the apache user.

Currently, the damage potential is enormous, as we have the credentials for the database, s3 service, etc. all stored in a text file readable by the apache user. This seems to be the default advice when setting up these sorts of applications, but is there a more secure way to do this?

I was thinking of using apache (as root) to pass environment variables with setenv to the wsgi app, but is this actually more secure? Any advice for this?

Thanks!

You might want to try security.stackexchange.com as well. – HTTP500 Jun 13 '12 at 18:39 — HTTP500, Jun 13 '12 at 18:39

JMC · Answer 1 · 2012-06-13T18:56:56.310

2

Make the apache user a no shell user:

Example:

chsh -s /sbin/nologin apache

edited Jun 13 '12 at 18:56

answered Jun 13 '12 at 18:47

JMC

506
6
23

+1. My first thought as well. – MDMarra Jun 13 '12 at 19:01

score 0 · Answer 2 · answered Jun 13 '12 at 19:05

mod_wsgi has the ability to run as another user, so implement it and set up filesystem permissions appropriately.

If apache runs as root, make it drop privileges too and run under yet another account with no access to the wsgi files.

I wonder if you have to assess the damage incurred by the mod_wsgi use getting shelled :)

Edit: beware, chsh'ing apache user to nologin will not prevent shell access should the Apache process get hit by an exploit. I'd look into selinux if that's a major issue.

Securely Store Credentials for a Web Application

2 Answers2