[mod_python] Configuring mod_python via reverse proxy

Graham Dumpleton grahamd at dscpl.com.au
Thu Dec 15 23:02:49 EST 2005


Roberto Sanchez wrote ..
> Graham Dumpleton wrote:
> > 
> > So we know exactly where you are coming from, what do you understand
> > as being the "problems encountered by using mod_python on a shared
> > machine"?
> > 
> I was under the impression that there was the possibility of 
> "cross-polution" by having different users' python scripts running under
> a single apache instance.
> 
> For example, from the Apache security tips:
> 
> "Embedded scripting options which run as part of the server itself, such
> as mod_php, mod_perl, mod_tcl, and mod_python, run under the identity of
> the server itself (see the User directive), and therefore scripts 
> executed by these engines potentially can access anything the server 
> user can. Some scripting engines may provide restrictions, but it is 
> better to be safe and assume not."

Yes, except that there are really two issues here. The first as you
highlight is that all scripts run as the same user.

The bigger immediate problem is the potential cross pollution of Python
modules and the visibility of another users Python modules within the
executing process. This will occur where requests for each user are
handled within the context of one Python interpreter instance, which is
the default if both users requests are handled within the context of the
same virtual host.

With a bit of work, one could specify in the main Apache configuration
file that each user has a distinct interpreter using PythonInterpreter
directive, but there is no way of stopping the user changing it to
something else in .htaccess file, bar preventing the use of .htaccess
file altogether.

The consequence of this is that I could use PythonInterpreter to name
some other users interpreter and create special handlers that allowed
me to then browse all his loaded modules looking for senstive data
such as login details, or cached data out of a database etc.

What is really required in mod_python is a way for an administrator to
set PythonInterpreter in the main Apache configuration differently for
differently parts of the URL namespace and then set some other option
to say that it cannot be overridden in a .htaccess file at all.

This way the administrator has better control and can ensure some
seperation. I'm not sure though whether there is a means by which it
could be added to mod_python such that this could be done. Would need
some digging into the Apache internals.

This wouldn't solve the problem completely though, as the fact that
all users code runs as the same actual user, means that you could just
read the source code in direct as text and steal it that way. This means
someone is doing it deliberately, but at present with how mod_python
works, the cross pollution of in memory modules can lead to unexpected
behaviour without even trying. Hopefully mod_python 3.3 will solve this
with the module importing system being reimplemented.

So yes, your concerns are quite valid and no there aren't any simple
answers. :-(

Graham


More information about the Mod_python mailing list