| | 268 | |
| | 269 | == Using exec to incorporate local settings == |
| | 270 | |
| | 271 | I've been using code like this to incorporate local settings: |
| | 272 | |
| | 273 | `settings.py` |
| | 274 | {{{ |
| | 275 | #!python |
| | 276 | # Non-machine-specific settings live directly in settings.py |
| | 277 | # Machine-specific settings live in another file, perhaps local_settings.conf |
| | 278 | |
| | 279 | exec open('local_settings.conf') in globals() |
| | 280 | }}} |
| | 281 | |
| | 282 | This allows the local settings to both read and modify the main settings' values (and it's simple). |
| | 283 | |
| | 284 | As an enhancement, a small amount of privilege separation can be had by making the `local_settings.conf` file unreadable by the uid that runs the web app, opening local_settings.conf in a setuid wrapper, passing its file descriptor to the Django process, and using {{{exec os.fdopen(..., 'r') in globals()}}}. This isn't perfect, since any secrets read from that file are still stored in the Django process, but it does make it harder for someone who has gained access to the user id running the Django app to discover your secrets. (Obviously all of the Python files used by the app must be owned by a user other than the one the app runs as, as well.) |