[mod_python] File Sessions security problem?

Jim Gallacher jpg at jgassociates.ca
Thu Jun 22 08:47:54 EDT 2006 

Graham Dumpleton wrote:
> marinus van aswegen wrote ..
>> Hi
>>
>> I have been playing with mod_python (ubuntu std, breezy build) and I
>> noticed that the sessions db is stored in the /tmp dir with
>> permissions that will permit any user to read the file. I'm not to
>> happy with this since I store some very sensitive info in the session
>> object.
>>
>> It's easy to chmod it, but perhaps it would be better to create the
>> file with more restrictive permissions?
> 
> The FileSession code uses file() to create the file. As such the file
> permissions are dictated by the umask of the user that Apache runs as.
> 
> Unfortunately file() doesn't allow a more constrained umask to be
> provided when creating a file and calling os.chmod() after the fact
> still allows a window, albeit small, where things could be done with the
> file.
> 
> Thus, the code should perhaps instead us os.open(). Thus something like:
> 
>   os.open(filename, os.O_RDWR | os.O_CREAT, 0600)
> 
> But then that returns a file descriptor ID and not a file like object
> and it can't just be passed straight into cPickle.dump(), thus before
> doing that, probably need to send it through os.fdopen() to create
> a file like object.
> 
> Anyway, doing this would allow one to constrain the umask.

I think there may be some confusion here. Is Marinus referring to 
FileSession files, or the db file created by DbmSession?

In the case of FileSession, the individual files are arranged in a 
directory structure under the main session directory (mp_sess by 
default). Mp_sess and its subdirectories are created with mode 0750, so 
although the individual files may be world readable their parent 
directories are not.

The dbm file created by DbmSession is indeed created world readable. I 
actually thought this had been fixed early in 3.2, but the code does not 
lie - it's still using the default anydbm default mode. I'll fix this 
unless anyone can see a reason why we are currently not passing the file 
creation mode to the dbm open() call.

As a temporary workaround and you are using mod_python 3.2.8, you could use:

   PythonOption session_directory /path/to/some/directory

to specify the location where the db file is created, and set the 
permissions of /path/to/some/directory to 0700.

Jim

More information about the Mod_python mailing list