|
Graham Dumpleton
grahamd at dscpl.com.au
Thu Dec 15 23:02:49 EST 2005
Roberto Sanchez wrote .. > Graham Dumpleton wrote: > > > > So we know exactly where you are coming from, what do you understand > > as being the "problems encountered by using mod_python on a shared > > machine"? > > > I was under the impression that there was the possibility of > "cross-polution" by having different users' python scripts running under > a single apache instance. > > For example, from the Apache security tips: > > "Embedded scripting options which run as part of the server itself, such > as mod_php, mod_perl, mod_tcl, and mod_python, run under the identity of > the server itself (see the User directive), and therefore scripts > executed by these engines potentially can access anything the server > user can. Some scripting engines may provide restrictions, but it is > better to be safe and assume not." Yes, except that there are really two issues here. The first as you highlight is that all scripts run as the same user. The bigger immediate problem is the potential cross pollution of Python modules and the visibility of another users Python modules within the executing process. This will occur where requests for each user are handled within the context of one Python interpreter instance, which is the default if both users requests are handled within the context of the same virtual host. With a bit of work, one could specify in the main Apache configuration file that each user has a distinct interpreter using PythonInterpreter directive, but there is no way of stopping the user changing it to something else in .htaccess file, bar preventing the use of .htaccess file altogether. The consequence of this is that I could use PythonInterpreter to name some other users interpreter and create special handlers that allowed me to then browse all his loaded modules looking for senstive data such as login details, or cached data out of a database etc. What is really required in mod_python is a way for an administrator to set PythonInterpreter in the main Apache configuration differently for differently parts of the URL namespace and then set some other option to say that it cannot be overridden in a .htaccess file at all. This way the administrator has better control and can ensure some seperation. I'm not sure though whether there is a means by which it could be added to mod_python such that this could be done. Would need some digging into the Apache internals. This wouldn't solve the problem completely though, as the fact that all users code runs as the same actual user, means that you could just read the source code in direct as text and steal it that way. This means someone is doing it deliberately, but at present with how mod_python works, the cross pollution of in memory modules can lead to unexpected behaviour without even trying. Hopefully mod_python 3.3 will solve this with the module importing system being reimplemented. So yes, your concerns are quite valid and no there aren't any simple answers. :-( Graham
|