[mod_python] Configuring mod_python via reverse proxy

Jorey Bump list at joreybump.com
Thu Dec 15 21:55:44 EST 2005

Roberto Sanchez wrote:
> Jorey Bump wrote:
>> It's a double-edged sword, much like running CGI with suexec.
>> Be sure to limit the user so there are no important assets in the home 
>> directory (like personal mail or private keys).
> So, what would be the best course of action in that case?  Put Maildirs 
> in a common directory under /var?  Even then, that directory would still 
> be writable by the user, just not under /home.  So, what's an admin to do?

Well, in my case, I split mail and web onto different machines. On the 
web machine(s), each virtual host gets a dedicated user with home 
directory in /var/www/hosts. On the mail machine(s), accounts are 
assigned to people as needed. By default, nobody gets a shell (but I'll 
make a rare exception for some web users).

This separation is more secure and much easier to manage. Users are free 
to hire developers or transfer domains without putting email accounts at 
risk. The servers are more specialized, so the number of exposed 
services is reduced.

If you're limited to one machine, it's still a good idea to separate 
your mail users from your web users.

More information about the Mod_python mailing list