We have had very good experiences with web2py. And now we are moving into a more locked-down production environment. This raises some new questions about security. I would like to make a suggestion. If this suggestion seems valuable then I would work with others to implement it. However an opinion from Massino and others is most important on this point.
Problem statement: web2py processes create and read files in the base web2py directory. This makes it difficult to secure the application in a production environment. Granting permissions to apache, and especially when using SELinux security contexts, is much harder when the rules differ file by file within a single directory. Examples: if you lock down write permission on the web2py directory then try to run Rocket server, you will have problems since httpserver.log and httpserver.pid can't be created. If you use apache with mod_wsgi, apache needs read access to wsgihandler.py which lives in the top-level directory. (Similar issue for other handlers -- cgihandler.py and so on). Solution statement: refactor web2py slightly so no files exist in base folder, just other directories. Add ./metadata -- where VERSION, LICENSE, README, CHANGELOG, splashlogo.gif go. Add ./handlers -- where wsgihandler.py, anyserver.py and other handlers go. Add ./cron where cron.master go. Add ./logs where httpserver.log would go (plus other items the user might configure like wsgi logs and so on). Add ./setup where Makefile, setup.py and others go. Consider moving web2py.py to ./gluon or devise another new folder. Measure of goodness: (1) No processes have a requirement to read or write files in the base directory. (2) The web2py default download has no files in the base directory. (3) New folders are fine-grained enough in their permissions that one owner (chown) and one file permission mask (chmod) can be applied to all contents of that folder. (4) No security-required files live in the same folder as no-need-to-secure files, e.g. don't put parameters_*.py files in the same folder as README and *.gif files. (5) Per web2py module or major process, document what directories it reads and writes, and permissions required (chown and chmod options required for directory level and file contents level) for that module / process to operate. (6) Explicit error messages on stdout when a module or process encounters a directory or file permission problem. This would enhance everyone's ability to achieve a highly secure web2py environment and not worry about problem creeping into the environment over time -- since there is no requirement to fiddle with individual file-level permissions. Would this be useful to anyone other than me? :) Thanks
