[mod_python] security issues

Jorey Bump list at joreybump.com
Tue Feb 1 10:44:59 EST 2005 

Lula Dog wrote:

> I cannot find anything related to the python security 
> configuration/installation...Any hints?
> I just want to know if there are some security guidelines during the 
> installation/configuration of Python on Unix systems...
> Any help would be very much appreciate....

Many of the same security issues that apply to other embedded 
interpreters apply to mod_python. Here are some brief descriptions. 
Rather than list the solutions in detail, use them as a basis to search 
the mailing list or web:

1. Store sensitive data in modules outside of the DocumentRoot of your 
site. This prevents modules from being exposed if mod_python isn't running.

2. Don't store backup files where they can be accessed via HTTP. 
Honestly, I'm sure I could gather about a thousand db passwords in a day 
if I simply created a bot that crawled dynamically driven sites and 
appended ~ to every file name it finds.

3. Use the FilesMatch directive to disallow access to important types of 
files, such as *.pyc, *.pyo, *~, etc.

4. Understand the quirks of mod_python.publisher if you use it as a 
handler. For example, add a leading underscore to objects if you do not 
want them to be directly accessible via HTTP (_foo = "secret word").

5. Because the embedded interpreter runs applications as the apache 
user, all other applications may have access to the same files. This can 
have serious implications in a multiuser environment, and applies to 
PHP, SSI, CGI, etc., as well.

6. Avoid any kind of dependency on the PATH environment variable. It can 
easily be changed by other applications, causing your own to fail. If 
you must call system programs, declare the full path explicitly, *always*.

7. Debugging information can be essential when developing an 
application. Take pains to ensure that error messages don't reveal 
sensitive data if they are returned to the browser. Review your code, 
and use try/except statements to catch errors when appropriate.

8. Learn about Python's mechanisms to restrict what gets exported by a 
module.

9. If your database and application are on the same machine, don't let 
the database listen on a port exposed to the Internet.

That's all I can think right now, hope it helps.

More information about the Mod_python mailing list