|
Arno Wilhelm
quirxi at aon.at
Sun May 15 15:00:17 EDT 2005
Hi > One concern: are there any security risks involved here? It is not just > because that Apache runs as such a special unprivileged user. You > basically appear to open a door out of that sandbox. It is generally not > that hard to recognise Python is being used (e.g. urls ending in .py, > comments in the html source, .psp extensions). > > Any comments, anyone? I do not think that is a big security risk if you take some precautions. Never let anybody else have access to your computer so that he can change the scripts directly. Nor would I use variables as an argument to the os.system call ... I think this mod_suexec was made in order to allow a save execution of cgi scripts. Here is a good page that deals with that security concern: http://httpd.apache.org/docs-2.0/suexec.html But I have to admit that I am not a security expert and as usual - a talented hacker with enough time might find a way to break into the system :( regards, quirxi > Wouter. > > On Sun, 2005-05-15 at 12:59 +0200, Arno Wilhelm wrote: > >>Hello, >> >>thanks for your help. >> >>I have resolved the issue now. User apache is not allowed to issue (almost) any >>command. I had to load the suexec module that uses the command suexec2 in order >>to get that to work! >> >>The only command that worked without the suexec_module was the echo command: >>system( "/bin/echo Hello_mod_python >> /tmp/dummy.log 2>&1" ) >> >>Any other command from within a mod_python script did not show any results, >>except an empty /tmp/dummy file (but not even an error message) at all! >> >>When I load the suexec_module in apache2.conf like this: >> >>LoadModule suexec_module modules/mod_suexec.so >>SuexecUserGroup root root >> >>apache2 seems to issue the command with the help of the suexec2 utility: >> >># suexec2 -V >> -D AP_DOC_ROOT="/var/www" >> -D AP_GID_MIN=100 >> -D AP_HTTPD_USER="apache" >> -D AP_LOG_EXEC="/var/log/apache2/suexec_log" >> -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" >> -D AP_SUEXEC_UMASK=077 >> -D AP_UID_MIN=1000 >> -D AP_USERDIR_SUFFIX="public_html" >> >> >>See also this website for more details: >>http://blog.develix.com/archives/33-Configuring-Apache-and-PHP-to-use-mod_suexec.html >> >> >>Thanks and greetings, >> >> >>quirxi >> >>Graham Dumpleton wrote: >> >>>On 15/05/2005, at 8:08 AM, Arno Wilhelm wrote: >>> >>> >>>>Hello, >>>> >>>>I have got a proble for which I cannot find a proper solution: >>>> >>>>Whenever a user on his browser hits a certain page (served by >>>>mod_python) the mod_python should send a SIGUSR signal to a certain >>>>process in order to force a update on him like this >>>> >>>># os.system( "kill -s SIGUSR1 26199" ) >>>> >>>>Whenever I make this call from within a python script it works. But >>>>whenever I try to build it into the mod_python script that is handled >>>>by apache it does not work. After that I have experimented with other >>>>os.system calls from within mod_python scripts and all of them seem to >>>>be ignored somehow. >>>> >>>>Could someone here possibly shed some light on this issue, since I am >>>>on the end of my knowledge. >>> >>> >>>A few things to consider. >>> >>>1. Set full pathnames to the programs in the command. >>> >>>The PATH setup for Apache may not be that useful. It may reference >>>some standard locations, but not much. Thus, if you expect program >>>to be found by searching PATH, it may not work. >>> >>>2. Don't rely on the current working directory to be anything specific. >>> >>>Normally current working directory would be '/' and nothing to to do >>>with where any Python request handler will be. Any references to files >>>should always be as absolute paths. >>> >>>3. Apache usually runs as user "nobody" or some other special user. >>> >>>Because Apache runs as a special user, it often will not have the >>>necessary privileges to be able to write to directories or send signals >>>to processes running as another user. >>> >>>4. Log output of scripts to a directory in "/tmp". >>> >>>As a way of working out problems, send the output of any commands to >>>a log file in "/tmp". Ie., run your command as: >>> >>> os.system( "kill -s SIGUSR1 26199 >> /tmp/dummy.log 2>&1" ) >>> >>>This will allow you to see any errors. With the way that Apache works, >>>you might not otherwise see errors generated by a call to os.system() >>>until Apache is shutdown and certain buffers are flushed out. >>> >>>Graham >>> >>> >>> >>> >> >>_______________________________________________ >>Mod_python mailing list >>Mod_python at modpython.org >>http://mailman.modpython.org/mailman/listinfo/mod_python >> >> > > > _______________________________________________ > Mod_python mailing list > Mod_python at modpython.org > http://mailman.modpython.org/mailman/listinfo/mod_python > >
|