Wouter van Marle
wouter at squirrel-systems.com
Sun May 15 10:22:15 EDT 2005
Hi all, Arno, very interesting this issue, I'm going to remember it as I may need it myself. Sounds useful. One concern: are there any security risks involved here? It is not just because that Apache runs as such a special unprivileged user. You basically appear to open a door out of that sandbox. It is generally not that hard to recognise Python is being used (e.g. urls ending in .py, comments in the html source, .psp extensions). Any comments, anyone? Wouter. On Sun, 2005-05-15 at 12:59 +0200, Arno Wilhelm wrote: > Hello, > > thanks for your help. > > I have resolved the issue now. User apache is not allowed to issue (almost) any > command. I had to load the suexec module that uses the command suexec2 in order > to get that to work! > > The only command that worked without the suexec_module was the echo command: > system( "/bin/echo Hello_mod_python >> /tmp/dummy.log 2>&1" ) > > Any other command from within a mod_python script did not show any results, > except an empty /tmp/dummy file (but not even an error message) at all! > > When I load the suexec_module in apache2.conf like this: > > LoadModule suexec_module modules/mod_suexec.so > SuexecUserGroup root root > > apache2 seems to issue the command with the help of the suexec2 utility: > > # suexec2 -V > -D AP_DOC_ROOT="/var/www" > -D AP_GID_MIN=100 > -D AP_HTTPD_USER="apache" > -D AP_LOG_EXEC="/var/log/apache2/suexec_log" > -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" > -D AP_SUEXEC_UMASK=077 > -D AP_UID_MIN=1000 > -D AP_USERDIR_SUFFIX="public_html" > > > See also this website for more details: > http://blog.develix.com/archives/33-Configuring-Apache-and-PHP-to-use-mod_suexec.html > > > Thanks and greetings, > > > quirxi > > Graham Dumpleton wrote: > > On 15/05/2005, at 8:08 AM, Arno Wilhelm wrote: > > > >> Hello, > >> > >> I have got a proble for which I cannot find a proper solution: > >> > >> Whenever a user on his browser hits a certain page (served by > >> mod_python) the mod_python should send a SIGUSR signal to a certain > >> process in order to force a update on him like this > >> > >> # os.system( "kill -s SIGUSR1 26199" ) > >> > >> Whenever I make this call from within a python script it works. But > >> whenever I try to build it into the mod_python script that is handled > >> by apache it does not work. After that I have experimented with other > >> os.system calls from within mod_python scripts and all of them seem to > >> be ignored somehow. > >> > >> Could someone here possibly shed some light on this issue, since I am > >> on the end of my knowledge. > > > > > > A few things to consider. > > > > 1. Set full pathnames to the programs in the command. > > > > The PATH setup for Apache may not be that useful. It may reference > > some standard locations, but not much. Thus, if you expect program > > to be found by searching PATH, it may not work. > > > > 2. Don't rely on the current working directory to be anything specific. > > > > Normally current working directory would be '/' and nothing to to do > > with where any Python request handler will be. Any references to files > > should always be as absolute paths. > > > > 3. Apache usually runs as user "nobody" or some other special user. > > > > Because Apache runs as a special user, it often will not have the > > necessary privileges to be able to write to directories or send signals > > to processes running as another user. > > > > 4. Log output of scripts to a directory in "/tmp". > > > > As a way of working out problems, send the output of any commands to > > a log file in "/tmp". Ie., run your command as: > > > > os.system( "kill -s SIGUSR1 26199 >> /tmp/dummy.log 2>&1" ) > > > > This will allow you to see any errors. With the way that Apache works, > > you might not otherwise see errors generated by a call to os.system() > > until Apache is shutdown and certain buffers are flushed out. > > > > Graham > > > > > > > > > > _______________________________________________ > Mod_python mailing list > Mod_python at modpython.org > http://mailman.modpython.org/mailman/listinfo/mod_python > >
|