|
John Draper
lists at webcrunchers.com
Sat Apr 3 14:31:43 EST 2004
Hi,
As some, but not all people know, the Apache that comes with openBSD
has a few
security features built in. In most cases, this severely restricts
the environment
that CGI code can run in.
Is the environment of Mod_python within the same chrooted environment
that normal
CGI's would run in? Or, because it's a module, would it be running
under the same
permissions as 'httpd' and would that ALSO be run under the chrooted
environment?
Is there anyone on this list using OpenBSD and running CGI's
sucessfully?
Below is a portion of the man httpd for the OpenBSD ver of apache.
Not certain of other OS's have this feature.
OPTIONS
-u By default httpd will chroot(2) to the serverroot path.
The -u
option disables this behaviour, and returns httpd to the
expanded
"unsecure" behaviour.
As a result of the default secure behaviour, httpd cannot
access
any objects outside ServerRoot - this security measure is
taken
in case httpd is compromised. This is not without
drawbacks,
though:
CGI programs may fail due to the limited environment
available
inside this chroot space. UserDir, of course, cannot
access
files outside the directory space. Other modules will
also have
issues. DocumentRoot directories or any other files
needed must
be inside ServerRoot. For this to work, pathnames inside
the
config file do not need adjustment relative to ServerRoot.
For
this option to remain secure, it is important that no
files or
directories writable by user www or group www are created
inside
the ServerRoot.
So, the bottom line is, if I use this option, will I be able to
access
UNIX level commands from within Mod_python?
By the way, FYI - This apache server is only going to accessable from
a small
number of work stations within a small secure netblock, so we are not
concerned
with the possibility of an outside system hacking into Apache.
Please send your replies to 'crunch at shopip dot com'
Thanx
John
|