Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

apache security with mod_python

From: "Dolf Andringa" <dolf.andringa () elcyon nl>
Date: Mon, 19 Jan 2009 23:37:35 +0100
Hi everyone,

I am in the process of setting up an apache server. I have done this in more
secure environments before (behind a firewall and only services supplied by
it to me and an occasional other user). Right now though, I am setting up a
webserver for more public use, and I want to take security serious.
I am setting the server up for two reasons: first I can use it to provide
some 10 (max) websites either maintained by myself or some close
aqcuaintances. Those websites are hosted through a cms (drupal), which takes
common security risks (SQL injection, XSS, spamming, etc) seriously, so I
think that as long as I keep it up to date, I am reasonably safe. The users
of those websites will not have any other access to the website other then
through sftp in a chroot jail and through the web interface of the cms.
The other reason I setup this server is that I myself want to use, modify
and write other types of webapplications which need other software than the
standard LAMP software. Examples are providing access to
Trac<http://trac.edgewall.org/>through mod_python, Turbogears through
mod_proxy and other(mod_)python
related stuff for instance for web mapping, which require access to some
python modules, which in turn require quite some c libraries.
Although I won't let people whom I don't know and who's intentions I don't
trust, upload or modify python code on the server, I realize that the
potential of badly written code provides quite some security issues. I am
therefore considering four setups of apache2. I hope you can advise me which
are the pro's and cons:

1:Setup apache using a manual chroot:
although this allows me the tightest control over which libraries and
programs to be available to apache, I am afraid it might also prove to be a
pain to get right and might also require a lot of work everytime a new
library is needed by a program.
2: Setup apache using mod_chroot: seems to be easier than a manual chroot,
but does it work with mod_python and stuff?
3: Forget about chroots in general and lock down apache, mysql, python, php,
etc with either apparmor or selinux.
4: a combination of the above (1 or 2 +3)

Cheers,

Dolf Andringa.
Previous By Date Next
Previous By Thread Next

Current thread: