|
Graham Dumpleton
grahamd at dscpl.com.au
Wed Jun 21 18:31:18 EDT 2006
marinus van aswegen wrote .. > Hi > > I have been playing with mod_python (ubuntu std, breezy build) and I > noticed that the sessions db is stored in the /tmp dir with > permissions that will permit any user to read the file. I'm not to > happy with this since I store some very sensitive info in the session > object. > > It's easy to chmod it, but perhaps it would be better to create the > file with more restrictive permissions? The FileSession code uses file() to create the file. As such the file permissions are dictated by the umask of the user that Apache runs as. Unfortunately file() doesn't allow a more constrained umask to be provided when creating a file and calling os.chmod() after the fact still allows a window, albeit small, where things could be done with the file. Thus, the code should perhaps instead us os.open(). Thus something like: os.open(filename, os.O_RDWR | os.O_CREAT, 0600) But then that returns a file descriptor ID and not a file like object and it can't just be passed straight into cPickle.dump(), thus before doing that, probably need to send it through os.fdopen() to create a file like object. Anyway, doing this would allow one to constrain the umask. Comments?? Graham
|