Security Basics mailing list archives
apache security with mod_python
From: "Dolf Andringa" <dolf.andringa () elcyon nl>
Date: Mon, 19 Jan 2009 23:37:35 +0100
Hi everyone, I am in the process of setting up an apache server. I have done this in more secure environments before (behind a firewall and only services supplied by it to me and an occasional other user). Right now though, I am setting up a webserver for more public use, and I want to take security serious. I am setting the server up for two reasons: first I can use it to provide some 10 (max) websites either maintained by myself or some close aqcuaintances. Those websites are hosted through a cms (drupal), which takes common security risks (SQL injection, XSS, spamming, etc) seriously, so I think that as long as I keep it up to date, I am reasonably safe. The users of those websites will not have any other access to the website other then through sftp in a chroot jail and through the web interface of the cms. The other reason I setup this server is that I myself want to use, modify and write other types of webapplications which need other software than the standard LAMP software. Examples are providing access to Trac<http://trac.edgewall.org/>through mod_python, Turbogears through mod_proxy and other(mod_)python related stuff for instance for web mapping, which require access to some python modules, which in turn require quite some c libraries. Although I won't let people whom I don't know and who's intentions I don't trust, upload or modify python code on the server, I realize that the potential of badly written code provides quite some security issues. I am therefore considering four setups of apache2. I hope you can advise me which are the pro's and cons: 1:Setup apache using a manual chroot: although this allows me the tightest control over which libraries and programs to be available to apache, I am afraid it might also prove to be a pain to get right and might also require a lot of work everytime a new library is needed by a program. 2: Setup apache using mod_chroot: seems to be easier than a manual chroot, but does it work with mod_python and stuff? 3: Forget about chroots in general and lock down apache, mysql, python, php, etc with either apparmor or selinux. 4: a combination of the above (1 or 2 +3) Cheers, Dolf Andringa.
Current thread:
- apache security with mod_python Dolf Andringa (Jan 19)