Webapp servers & security

[Anakim Border]

App servers such as quixote, webware and skunkweb (just to name a
few) offer a clean environment to develop Python webapps. I have some
problems, however, understanding their security model.
My objective is to host webapps from different people on a single
Linux server; because of that, I want to be sure that one webapp
cannot interfere with another.
My first attempt at privilege separation went through users & groups.
Unfortunately application servers execute all python code under the
same uid; that way webapp 'a' from Alice can easily overwrite files
from webapp 'b' owned by Bob.
chroot() jails are not an option since I'd need one new process for
each request and that would be the same of using plain old CGIs, all
performance penalties included.
rexec and Bastion are deprecated, so I can't enforce security using
the Python VM itself. That leaves me without anything to work on.

Did I miss anything?

Regards,
Anakim Border

 

[Alan Kennedy]

[Anakim Border]

> App servers such as quixote, webware and skunkweb (just to name a
> few) offer a clean environment to develop Python webapps. I have some
> problems, however, understanding their security model.

Since they each have different security models, that's not surprising.
This is a difficult problem for people approaching python. Hopefully it
is the sort of problem that will be brought more under control when
WSGI* is in widespread use and authentication is controlled using WSGI
middleware.

*: http://www.python.org/peps/pep-0333.html

> My objective is to host webapps from different people on a single
> Linux server; because of that, I want to be sure that one webapp
> cannot interfere with another.
> My first attempt at privilege separation went through users & groups.

Using unix users and groups is the best way to attain total separation
between environments. Either that or put them on different
user-mode-linux* hosts.

*: http://usermodelinux.org/

> Unfortunately application servers execute all python code under the
> same uid; that way webapp 'a' from Alice can easily overwrite files
> from webapp 'b' owned by Bob.

Perhaps you could run multiple application servers? One per isolated
environment? Each of the above packages (quixote, etc) contains its own
standalone server, as well as the capability to integrate into other
server environments.

Use some form of proxy webserver in the front, which simply routes
requests to the relevant application server, based on URL, HTTP_HOST,
etc, etc.

Apache has a mod_proxy[1] designed specifically for this purpose. In
combination with mod_rewrite[2], that should give you fairly powerful
control over who gets to see which requests. You could probably roll
your solution fairly easily using one or more of the mod_python
Python*Handlers[3] and something like mod_scgi[4] or FastCGI[5].

1: http://httpd.apache.org/docs-2.0/mod/mod_proxy.html
2: http://httpd.apache.org/docs-2.0/mod/mod_rewrite.html
3: http://www.modpython.org/live/current/doc-html/dir-handlers.html
4: http://www.mems-exchange.org/software/scgi/
5: http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html

> Did I miss anything?

I am sure there are other approaches as well.

HTH,

 

[Istvan Albert]

few) offer a clean environment to develop Python webapps. I have some
problems, however, understanding their security model.

Did I miss anything?

They don't have a security model. AFAIK only Zope has.

Istvan.