# Where to store configurable secrets? In group-readable etc/app.conf ?



## patmaddox (May 18, 2022)

I am working on an app that reads database credentials from DATABASE_URL env var. I've got an rc script that starts it up fine. I want to double-check how I should be configuring it: I have put it in /usr/local/etc/myapp.conf chmod 770.

Is that right, or is there some other mechanism for setting secret env vars for rc scripts?


----------



## SirDice (May 18, 2022)

Why would the _group_ require write access? And why did you add _execute_ permissions to a configuration file? 640 is more appropriate. Read/Write for the _owner_ (which I presume is root?), Read for the group, and nothing for everyone else.

Always follow the principle of least privilege.


----------



## patmaddox (May 18, 2022)

You're right, group wouldn't need write. I'm not even sure that group needs to be able to read it?

Execute permissions because brain fart


----------



## SirDice (May 18, 2022)

patmaddox said:


> I'm not even sure that group needs to be able to read it?


In this case, probably not. But it's going to depend at what stage that file is read and if the service, that reads this file, is running on a limited account or not.


----------



## patmaddox (May 18, 2022)

My program isn't reading the file directly. The rc script (/usr/local/etc/rc.dex_ample_live) includes the lines:

```
load_rc_config ex_ample_live
: ${ex_ample_live_env_file:=/usr/local/etc/ex_ample_live.conf}
```
to pass them in as env vars to the commands.

I would like to run it on a limited account. The only thing the program should really be able to do is write to a log file. I'm not sure how to add users as part of the installation though. I looked at some other package manifests and have added `users: [myapp]` and `groups: [myapp]` to mine, but installing the package does not create the user. According to the porter's handbook section it looks like I may need to also edit ports/UIDs and ports/GIDs?

I am hesitant to do that because this app isn't being distributed publicly, at least not for the time being. Is there a way to add a named user as part of package installation, without taking a slot from ports/UIDs?


----------



## SirDice (May 18, 2022)

patmaddox said:


> The rc script (/usr/local/etc/rc.dex_ample_live) includes the lines:


Ok, those are run by root, in that case the group doesn't really need read access, so 600 or 400 would be good too.


----------

