Webapp servers & security

Alan Kennedy alanmk at hotmail.com
Tue Dec 7 14:04:26 EST 2004 

[Anakim Border]
 > App servers such as quixote, webware and skunkweb  (just to name a
 > few) offer a clean environment to develop Python webapps. I have some
 > problems, however, understanding their security model.

Since they each have different security models, that's not surprising. 
This is a difficult problem for people approaching python. Hopefully it 
is the sort of problem that will be brought more under control when 
WSGI* is in widespread use and authentication is controlled using WSGI 
middleware.

*: http://www.python.org/peps/pep-0333.html

 > My objective is to host webapps from different people on a single
 > Linux server; because of that, I want to be sure that one webapp
 > cannot interfere with another.
 > My first attempt at privilege separation went through users & groups.

Using unix users and groups is the best way to attain total separation 
between environments. Either that or put them on different 
user-mode-linux* hosts.

*: http://usermodelinux.org/

 > Unfortunately application servers execute all python code under the
 > same uid; that way webapp 'a' from Alice can easily overwrite files
 > from webapp 'b' owned by Bob.

Perhaps you could run multiple application servers? One per isolated 
environment? Each of the above packages (quixote, etc) contains its own 
standalone server, as well as the capability to integrate into other 
server environments.

Use some form of proxy webserver in the front, which simply routes 
requests to the relevant application server, based on URL, HTTP_HOST, 
etc, etc.

Apache has a mod_proxy[1] designed specifically for this purpose. In 
combination with mod_rewrite[2], that should give you fairly powerful 
control over who gets to see which requests. You could probably roll 
your solution fairly easily using one or more of the mod_python 
Python*Handlers[3] and something like mod_scgi[4] or FastCGI[5].

1: http://httpd.apache.org/docs-2.0/mod/mod_proxy.html
2: http://httpd.apache.org/docs-2.0/mod/mod_rewrite.html
3: http://www.modpython.org/live/current/doc-html/dir-handlers.html
4: http://www.mems-exchange.org/software/scgi/
5: http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html

 > Did I miss anything?

I am sure there are other approaches as well.

HTH,

-- 
alan kennedy
------------------------------------------------------
email alan:              http://xhaus.com/contact/alan

More information about the Python-list mailing list