|
Paul Hart
paulhart at redchocolate.ca
Sat Apr 3 18:16:11 EST 2004
John, '-u' completely removes the chroot jail. The only other issue you might have is that the 3.x versions of mod_python require Apache 2... If you don't need that, there shouldn't be any issues. Personally, I use a self-built Apache 2 with mod_python 3 and Python 2.2. Everything works very well. Python is available in the ports tree, both 2.2 and 2.3 are there. A pleasure to be of assistance cap'n. Paul On 3 Apr 2004, at 17:31, John Draper wrote: > Hi, > > As some, but not all people know, the Apache that comes with openBSD > has a few > security features built in. In most cases, this severely restricts > the environment > that CGI code can run in. > > Is the environment of Mod_python within the same chrooted environment > that normal > CGI's would run in? Or, because it's a module, would it be running > under the same > permissions as 'httpd' and would that ALSO be run under the chrooted > environment? > > Is there anyone on this list using OpenBSD and running CGI's > sucessfully? > > Below is a portion of the man httpd for the OpenBSD ver of apache. > Not certain of other OS's have this feature. > > OPTIONS > -u By default httpd will chroot(2) to the serverroot path. > The -u > option disables this behaviour, and returns httpd to the > expanded > "unsecure" behaviour. > > As a result of the default secure behaviour, httpd cannot > access > any objects outside ServerRoot - this security measure is > taken > in case httpd is compromised. This is not without > drawbacks, > though: > > CGI programs may fail due to the limited environment > available > inside this chroot space. UserDir, of course, cannot > access > files outside the directory space. Other modules will > also have > issues. DocumentRoot directories or any other files > needed must > be inside ServerRoot. For this to work, pathnames inside > the > config file do not need adjustment relative to > ServerRoot. For > this option to remain secure, it is important that no > files or > directories writable by user www or group www are created > inside > the ServerRoot. > > So, the bottom line is, if I use this option, will I be able to > access > UNIX level commands from within Mod_python? > > By the way, FYI - This apache server is only going to accessable from > a small > number of work stations within a small secure netblock, so we are not > concerned > with the possibility of an outside system hacking into Apache. > > Please send your replies to 'crunch at shopip dot com' > > Thanx > John > > _______________________________________________ > Mod_python mailing list > Mod_python at modpython.org > http://mailman.modpython.org/mailman/listinfo/mod_python
|