Best Practice Env Variables
Hi guys!
I'm completely new to VPS and have been trying out setting up a VPS and running a simple script just to get familiar with everything.
This particular script (python) uses a .env file which I put some API tokens in. On a platform like Heroku I would just input these in their GUI somewhere and I can access it through the app/script.
But for a VPS I would love to know what the best practices are to achieve access to the env variables. I could obviously copy the .env file I have locally to the VPS but my (limited) knowledge just tells me that does not feel safe. Of course that also depends significantly on how the VPS was set-up.
I have Ubuntu 20.04 LTS set-up on my Linode and aside from the regular security checklist I haven't installed anything yet (with exception of Postgres). And for completion sake I am using a python venv however as well.
Am I correct to say there must be another way or should this be safe enough if proper precautions are taken in terms of securing the VPS (following all common practices)? If there is a preferred other way, I'd love it if you could share me some insights on how to achieve this so I can take this and learn from it.
2 Replies
@kayjaybe --
You write:
Am I correct to say there must be another way or should this be safe enough if proper precautions are taken in terms of securing the VPS (following all common practices)? If there is a preferred other way, I'd love it if you could share me some insights on how to achieve this so I can take this and learn from it.
Generally yes… However, if you don't want any other user to see the contents of your .env file, set the ownership and permissions correctly:
- set up a user/group for your application (e.g., myscript/myscript);
- shange the ownership of your application & .env file to be owned by myscript/myscript;
- change the permission of your application to 0740 (-rwxr-----) & the .env file to 0640 (-rw-r-----);
- make your script run with the privileges of user/group myscript/myscript instead of the user/group who launched the app by setting the setuid, setgid & sticky bits of the app appropriately:
https://www.geeksforgeeks.org/setuid-setgid-and-sticky-bits-in-linux-file-permissions/
-- sw