Embedding a restricted python interpreter
Bengt Richter
bokr at oz.net
Thu Jan 6 15:31:17 EST 2005
On Thu, 6 Jan 2005 16:53:23 +0100, Gerhard Haering <gh at ghaering.de> wrote:
>
>--rwEMma7ioTxnRzrJ
>Content-Type: text/plain; charset=us-ascii
>Content-Disposition: inline
>Content-Transfer-Encoding: quoted-printable
>
>On Thu, Jan 06, 2005 at 07:32:25AM -0800, Paul Rubin wrote:
>> Jp Calderone <exarkun at divmod.com> writes:
>> > A Python sandbox would be useful, but the hosting provider's excuse
>> > for not allowing you to use mod_python is completely bogus. All the=20
>> > necessary security tools for that situation are provided by the=20
>> > platform in the form of process and user separation.
>>=20
>> But mod_python is an apache module and runs in the same apache process
>> with other users' scripts.
>
>Which is why it's a good idea for each customer to have it's own system user
>and their virtual hosts running under this uid. Which was the idea for the
>perchild MPM for Apache 2 - which is abandoned now :-( muxmpm is a replacem=
>ent
>project in beta.
Note to self. Another thing to catch up on ;-/
>
>This really sucks when you use Apache2. I myself did make the switch some t=
>ime
>ago, then noticed that this (for me) important feature was missing. It now
>works, somehow, but to make it work properly I'd need to either:
>
>- go back to Apache 1.3.x, missing some nice improvements
And maybe have to recompile to enable the setuid stuff. But IIRC after that you
can run cgi with everything private and serve only generated stuff to the world
if you want.
>- use different webservers per user, put them together with mod_proxy (yuck=
>!)
Regards,
Bengt Richter
More information about the Python-list
mailing list