--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-co...@googlegroups.com.
To post to this group, send email to rubyonra...@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-co...@googlegroups.com.
To post to this group, send email to rubyonra...@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
I think Michael makes a very good point. We trust our admins with root access, so I can’t imagine why we’d go extra mile hiding an app secrets from them when they are so powerful with root already. If I had a sysadmin that I couldn’t trust handling this token properly, I would never hire him in the first place. As long as the secret accessibility is restricted to an appointed unix group (e.g. “deploy”) - that should work, shouldn’t it?
Not exactly if you use environment variables with secret settings using deployment tools like Capistrano.
But I also don't see why a system admin shouldn't be trusted...
Forget about using environment variables. Those are the easiest to checkout if you're root in a Linux server for instance. I could easily read it in a quick test.
I'm curious though to see how easy would it be to use GDB to attach to a running application after the deploy script has removed the file with the key after the application has booted...
That specific approach wouldn't really work in this case as you'd have to restart the process with the shim in place but you wouldn't be able to because you'd be missing one of Rails required initializer, which contains the secret.
Maybe the admin would be able to install the shim globally, but if you don't really trust your admin you could create some kind of checksum of your system of and refuse to deploy if it has changed. Softwares like Bacula are able to do things like that. Then you could diff with your known state to see what has changed so that you'd know whether the changes are safe or not. Bacula has such a feature for instance.
But since this requires a lot of work, it would be much simpler to not keep employees you don't trust. There's much worse things system admins could do if they want to.
In any case I don't find it trivial to steal the secret from a running process.
--
I do think that N secret tokens is a "safer" situation than just one.
Also note, that any future tenants would be safe from "remembering" the base token.
I'll give this a shot this weekend.
--