Tuesday, July 18, 2017
On Monday, July 17, 2017 at 10:33:04 PM UTC+1, Walter Lee Davis wrote:
--
> On Jul 17, 2017, at 3:26 PM, Ralph Shnelvar <ralphs@dos32.com> wrote:
> My Rails app is on my own server, then
>
> Does it make a difference if the secret keys are in environment variables or ~/config/secrets.yml ?
>
> Ralph
>
Probably not. But if the configuration comes from the environment, and the Apache/Nginx config are owned by a different user than the Rails app, then maybe there's a need for an attacker to get root or at least compromise two users in order to access the configuration. Seems weak as an argument to me. If someone owns your server, they own your server. These files need to be readable for other processes to read them.
I suspect that the larger issue under protection here is you uploading your code to Github/lab and then forgetting and making it public.
At the point where they can run code on your servers it's game over anyway (for example attach gdb to running process and extract the value that way). More relevant are things like
- source control (as you note)
- your development machine gets stolen, compromised etc.
Personally I would also consider not having secrets there a protection against myself stops me accidentally running stuff in a development environment that ends up using the production version of some api.
Fred
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/2338c39d-2ff0-4857-b094-bbc64d21fbfa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment