[mod_python] File Sessions security problem?

Graham Dumpleton grahamd at dscpl.com.au
Wed Jun 21 18:31:18 EDT 2006

marinus van aswegen wrote ..
> Hi
> I have been playing with mod_python (ubuntu std, breezy build) and I
> noticed that the sessions db is stored in the /tmp dir with
> permissions that will permit any user to read the file. I'm not to
> happy with this since I store some very sensitive info in the session
> object.
> It's easy to chmod it, but perhaps it would be better to create the
> file with more restrictive permissions?

The FileSession code uses file() to create the file. As such the file
permissions are dictated by the umask of the user that Apache runs as.

Unfortunately file() doesn't allow a more constrained umask to be
provided when creating a file and calling os.chmod() after the fact
still allows a window, albeit small, where things could be done with the

Thus, the code should perhaps instead us os.open(). Thus something like:

  os.open(filename, os.O_RDWR | os.O_CREAT, 0600)

But then that returns a file descriptor ID and not a file like object
and it can't just be passed straight into cPickle.dump(), thus before
doing that, probably need to send it through os.fdopen() to create
a file like object.

Anyway, doing this would allow one to constrain the umask.



More information about the Mod_python mailing list