View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Best Practice Env Variables
Log in to Ask a Question

Best Practice Env Variables

python

Hi guys!

I'm completely new to VPS and have been trying out setting up a VPS and running a simple script just to get familiar with everything.

This particular script (python) uses a .env file which I put some API tokens in. On a platform like Heroku I would just input these in their GUI somewhere and I can access it through the app/script.

But for a VPS I would love to know what the best practices are to achieve access to the env variables. I could obviously copy the .env file I have locally to the VPS but my (limited) knowledge just tells me that does not feel safe. Of course that also depends significantly on how the VPS was set-up.

I have Ubuntu 20.04 LTS set-up on my Linode and aside from the regular security checklist I haven't installed anything yet (with exception of Postgres). And for completion sake I am using a python venv however as well.

Am I correct to say there must be another way or should this be safe enough if proper precautions are taken in terms of securing the VPS (following all common practices)? If there is a preferred other way, I'd love it if you could share me some insights on how to achieve this so I can take this and learn from it.

2 Replies

@kayjaybe --

You write:

Am I correct to say there must be another way or should this be safe enough if proper precautions are taken in terms of securing the VPS (following all common practices)? If there is a preferred other way, I'd love it if you could share me some insights on how to achieve this so I can take this and learn from it.

Generally yes… However, if you don't want any other user to see the contents of your .env file, set the ownership and permissions correctly:

  • set up a user/group for your application (e.g., myscript/myscript);
  • shange the ownership of your application & .env file to be owned by myscript/myscript;
  • change the permission of your application to 0740 (-rwxr-----) & the .env file to 0640 (-rw-r-----);
  • make your script run with the privileges of user/group myscript/myscript instead of the user/group who launched the app by setting the setuid, setgid & sticky bits of the app appropriately:

https://www.geeksforgeeks.org/setuid-setgid-and-sticky-bits-in-linux-file-permissions/

-- sw

Many thanks for your input. Definitely helps me a lot as I had no idea I could do that.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct