Embedding a restricted python interpreter

Gerhard Haering gh at ghaering.de
Thu Jan 6 16:53:23 CET 2005


On Thu, Jan 06, 2005 at 07:32:25AM -0800, Paul Rubin wrote:
> Jp Calderone <exarkun at divmod.com> writes:
> >   A Python sandbox would be useful, but the hosting provider's excuse
> > for not allowing you to use mod_python is completely bogus.  All the 
> > necessary security tools for that situation are provided by the 
> > platform in the form of process and user separation.
> 
> But mod_python is an apache module and runs in the same apache process
> with other users' scripts.

Which is why it's a good idea for each customer to have it's own system user
and their virtual hosts running under this uid. Which was the idea for the
perchild MPM for Apache 2 - which is abandoned now :-( muxmpm is a replacement
project in beta.

This really sucks when you use Apache2. I myself did make the switch some time
ago, then noticed that this (for me) important feature was missing. It now
works, somehow, but to make it work properly I'd need to either:

- go back to Apache 1.3.x, missing some nice improvements
- use different webservers per user, put them together with mod_proxy (yuck!)

-- Gerhard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mail.python.org/pipermail/python-list/attachments/20050106/5ed5c9d7/attachment.sig>


More information about the Python-list mailing list