[mod_python] os.system() call does not work within mod_python script

Arno Wilhelm quirxi at aon.at
Sun May 15 15:00:17 EDT 2005


Hi

> One concern: are there any security risks involved here? It is not just
> because that Apache runs as such a special unprivileged user. You
> basically appear to open a door out of that sandbox. It is generally not
> that hard to recognise Python is being used (e.g. urls ending in .py,
> comments in the html source, .psp extensions).
> 
> Any comments, anyone?

I do not think that is a big security risk if you take some precautions.
Never let anybody else have access to your computer so that he can change the 
scripts directly. Nor would I use variables as an argument to the os.system call ...
I think this mod_suexec was made in order to allow a save execution of cgi scripts.
Here is a good page that deals with that security concern:
http://httpd.apache.org/docs-2.0/suexec.html

But I have to admit that I am not a security expert and as usual - a talented 
hacker with enough time might find a way to break into the system :(


regards,

quirxi



> Wouter.
> 
> On Sun, 2005-05-15 at 12:59 +0200, Arno Wilhelm wrote:
> 
>>Hello,
>>
>>thanks for your help.
>>
>>I have resolved the issue now. User apache is not allowed to issue (almost) any 
>>command. I had to load the suexec module that uses the command suexec2 in order 
>>to get that to work!
>>
>>The only command that worked without the suexec_module was the echo command:
>>system( "/bin/echo Hello_mod_python >> /tmp/dummy.log 2>&1" )
>>
>>Any other command from within a mod_python script did not show any results, 
>>except an empty /tmp/dummy file (but not even an error message) at all!
>>
>>When I load the suexec_module in apache2.conf like this:
>>
>>LoadModule suexec_module      modules/mod_suexec.so
>>SuexecUserGroup root root
>>
>>apache2 seems to issue the command with the help of the suexec2 utility:
>>
>># suexec2 -V
>>  -D AP_DOC_ROOT="/var/www"
>>  -D AP_GID_MIN=100
>>  -D AP_HTTPD_USER="apache"
>>  -D AP_LOG_EXEC="/var/log/apache2/suexec_log"
>>  -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
>>  -D AP_SUEXEC_UMASK=077
>>  -D AP_UID_MIN=1000
>>  -D AP_USERDIR_SUFFIX="public_html"
>>
>>
>>See also this website for more details:
>>http://blog.develix.com/archives/33-Configuring-Apache-and-PHP-to-use-mod_suexec.html
>>
>>
>>Thanks and greetings,
>>
>>
>>quirxi
>>
>>Graham Dumpleton wrote:
>>
>>>On 15/05/2005, at 8:08 AM, Arno Wilhelm wrote:
>>>
>>>
>>>>Hello,
>>>>
>>>>I have got a proble for which I cannot find a proper solution:
>>>>
>>>>Whenever a user on his browser hits a certain page (served by 
>>>>mod_python) the mod_python should send a SIGUSR signal to a certain 
>>>>process in order to force a update on him like this
>>>>
>>>># os.system( "kill -s SIGUSR1 26199" )
>>>>
>>>>Whenever I make this call from within a python script it works. But 
>>>>whenever I try to build it into the mod_python script that is handled 
>>>>by apache it does not work. After that I have experimented with other 
>>>>os.system calls from within mod_python scripts and all of them seem to 
>>>>be ignored somehow.
>>>>
>>>>Could someone here possibly shed some light on this issue, since I am 
>>>>on the end of my knowledge.
>>>
>>>
>>>A few things to consider.
>>>
>>>1. Set full pathnames to the programs in the command.
>>>
>>>The PATH setup for Apache may not be that useful. It may reference
>>>some standard locations, but not much. Thus, if you expect program
>>>to be found by searching PATH, it may not work.
>>>
>>>2. Don't rely on the current working directory to be anything specific.
>>>
>>>Normally current working directory would be '/' and nothing to to do
>>>with where any Python request handler will be. Any references to files
>>>should always be as absolute paths.
>>>
>>>3. Apache usually runs as user "nobody" or some other special user.
>>>
>>>Because Apache runs as a special user, it often will not have the
>>>necessary privileges to be able to write to directories or send signals
>>>to processes running as another user.
>>>
>>>4. Log output of scripts to a directory in "/tmp".
>>>
>>>As a way of working out problems, send the output of any commands to
>>>a log file in "/tmp". Ie., run your command as:
>>>
>>>  os.system( "kill -s SIGUSR1 26199 >> /tmp/dummy.log 2>&1" )
>>>
>>>This will allow you to see any errors. With the way that Apache works,
>>>you might not otherwise see errors generated by a call to os.system()
>>>until Apache is shutdown and certain buffers are flushed out.
>>>
>>>Graham
>>>
>>>
>>>
>>>
>>
>>_______________________________________________
>>Mod_python mailing list
>>Mod_python at modpython.org
>>http://mailman.modpython.org/mailman/listinfo/mod_python
>>
>>
> 
> 
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
> 
> 



More information about the Mod_python mailing list