[mod_python] Some questions about CHRooted invironment

Paul Hart paulhart at redchocolate.ca
Sat Apr 3 18:16:11 EST 2004


John,

'-u' completely removes the chroot jail. The only other issue you might 
have is that the 3.x versions of mod_python require Apache 2... If you 
don't need that, there shouldn't be any issues.

Personally, I use a self-built Apache 2 with mod_python 3 and Python 
2.2. Everything works very well.

Python is available in the ports tree, both 2.2 and 2.3 are there.

A pleasure to be of assistance cap'n.

Paul

On 3 Apr 2004, at 17:31, John Draper wrote:

> Hi,
>
> As some,  but not all people know,  the Apache that comes with openBSD 
> has a few
> security features built in.   In most cases,  this severely restricts 
> the environment
> that CGI code can run in.
>
> Is the environment of Mod_python within the same chrooted environment 
> that normal
> CGI's would run in?    Or, because it's a module,  would it be running 
> under the same
> permissions as 'httpd' and would that ALSO be run under the chrooted 
> environment?
>
> Is there anyone on this list using OpenBSD and running CGI's 
> sucessfully?
>
> Below is a portion of the man httpd for the OpenBSD ver of apache.
> Not certain of other OS's have this feature.
>
> OPTIONS
>      -u      By default httpd will chroot(2) to the serverroot path.  
> The -u
>              option disables this behaviour, and returns httpd to the 
> expanded
>              "unsecure" behaviour.
>
>              As a result of the default secure behaviour, httpd cannot 
> access
>              any objects outside ServerRoot - this security measure is 
> taken
>              in case httpd is compromised.  This is not without 
> drawbacks,
>              though:
>
>              CGI programs may fail due to the limited environment 
> available
>              inside this chroot space.  UserDir, of course, cannot 
> access
>              files outside the directory space.  Other modules will 
> also have
>              issues.  DocumentRoot directories or any other files 
> needed must
>              be inside ServerRoot.  For this to work, pathnames inside 
> the
>              config file do not need adjustment relative to 
> ServerRoot.  For
>              this option to remain secure, it is important that no 
> files or
>              directories writable by user www or group www are created 
> inside
>              the ServerRoot.
>
> So,  the bottom line is,   if I use this option,  will I be able to 
> access
> UNIX level commands from within Mod_python?
>
> By the way,  FYI - This apache server is only going to accessable from 
> a small
> number of work stations within a small secure netblock,  so we are not 
> concerned
> with the possibility of an outside system hacking into Apache.
>
> Please send your replies to 'crunch at shopip dot com'
>
> Thanx
> John
>
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python



More information about the Mod_python mailing list