Ruby on Rails Monday, July 17, 2017

> On Jul 17, 2017, at 3:26 PM, Ralph Shnelvar <ralphs@dos32.com> wrote:
>
> If my code will not be shared, and
>
> My Rails app is on my own server, then
>
> Does it make a difference if the secret keys are in environment variables or ~/config/secrets.yml ?
>
> Ralph
>

Probably not. But if the configuration comes from the environment, and the Apache/Nginx config are owned by a different user than the Rails app, then maybe there's a need for an attacker to get root or at least compromise two users in order to access the configuration. Seems weak as an argument to me. If someone owns your server, they own your server. These files need to be readable for other processes to read them.

I suspect that the larger issue under protection here is you uploading your code to Github/lab and then forgetting and making it public.

Walter

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/571DE6E4-EF07-4398-9DB5-092AF970C196%40wdstudio.com.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment