[mod_python] Where do you put your py modules... ? [alias paranoid protector]

Graham Dumpleton grahamd at dscpl.com.au
Sat Oct 7 23:51:56 EDT 2006


On 07/10/2006, at 8:11 PM, Durumdara wrote:

> Hi !
>
> Where do you put your py modules ?

Personally I have no issues with putting the source code which is
used to render the view in files which is in the document tree. Any
stuff which represents the model or core of the application would
certainly be put elsewhere, especially anything which may relate
to database access and could contain passwords etc.

> Interesting question !
>
> I have site, and I want to protect it.
> Because I want to do this, I use .php extension for my main py  
> script, something like this:
>
> ### index.php
>
> def handler(req):
>   dir = os.dirname(__file__)+'../py'
>   mod = import_module('realhandlerscript', path = [dir])
>   return mod.handler(req)
>
> ### index.php
> (The php extension is confusion-maker - the hackers will trying  
> with php exploits on php site. I can set this to .jsp, or other  
> ext, to confuse the attackers).

Why not use the appropriate extension for the type of content that
is delivered up for the resource. In other words, why not use a .html
extension. If you use that, they will have no idea what implementation
language you are using. One could also use no extension at all.

> my site is like this:
> /htdocs
> /htdocs/index.php
> /py
>
> The /py is containing all of the handlers, templates, and  
> everything that I don't want to publish directly (I publish the  
> contents from globally controlled script).
>
> This is a kind of paranoia, but I fear if I confuse my apache  
> config file, all of my sources and directories will visible as text  
> (if I store them in the htdocs)...
>
> So I moved them into a lower level dir.
>
> It is good solution ? Or can I set in apache directory sections  
> globally to let all of the py/psp and some of other files unvisible ?

If using SetHandler directive and an appropriate handler, you can use
something like:

   <Files *.py>
   deny from all
   </Files>

   <Files *.pyc>
   deny from all
   </Files>

   <Files *.psp_>
   deny from all
   </Files>

The last one stops access to PSP source code when PythonDebug is
On and PSP is being used.

> Can I set globally this (un)visibility, to only server (and modpy)  
> can see these files, but the request/users can not ?

Depends on your handler and how you are triggering it.

> Do you knows about any restrictions if I don't use the htdocs to  
> store my handler scripts and other stuffs ?

Depends on how your handler is written to a degree. You do loose the
ability to use some Apache features if all you end up doing is using  
Apache
as a jumping off point and implementing all URL interpretation  
yourself. In
some respects, if you are going to do that, you may as well trigger your
handler from inside a Location directive, which since it isn't  
associated
with a physical directory cannot result in any way your source code  
being
exposed.

Graham


More information about the Mod_python mailing list