2012/6/15 Chris <[email protected]>: > We have had very good experiences with web2py. And now we are moving into a > more locked-down production environment. This raises some new questions > about security. I would like to make a suggestion. If this suggestion > seems valuable then I would work with others to implement it. However an > opinion from Massino and others is most important on this point. > > Problem statement: web2py processes create and read files in the base web2py > directory. This makes it difficult to secure the application in a > production environment. Granting permissions to apache, and especially when > using SELinux security contexts, is much harder when the rules differ file > by file within a single directory. > > Examples: if you lock down write permission on the web2py directory then try > to run Rocket server, you will have problems since httpserver.log and > httpserver.pid can't be created. If you use apache with mod_wsgi, apache > needs read access to wsgihandler.py which lives in the top-level directory. > (Similar issue for other handlers -- cgihandler.py and so on). > > Solution statement: refactor web2py slightly so no files exist in base > folder, just other directories. Add ./metadata -- where VERSION, LICENSE, > README, CHANGELOG, splashlogo.gif go. Add ./handlers -- where > wsgihandler.py, anyserver.py and other handlers go. Add ./cron where > cron.master go. Add ./logs where httpserver.log would go (plus other items > the user might configure like wsgi logs and so on). Add ./setup where > Makefile, setup.py and others go. Consider moving web2py.py to ./gluon or > devise another new folder. > > Measure of goodness: (1) No processes have a requirement to read or write > files in the base directory. (2) The web2py default download has no files > in the base directory. (3) New folders are fine-grained enough in their > permissions that one owner (chown) and one file permission mask (chmod) can > be applied to all contents of that folder. (4) No security-required files > live in the same folder as no-need-to-secure files, e.g. don't put > parameters_*.py files in the same folder as README and *.gif files. (5) Per > web2py module or major process, document what directories it reads and > writes, and permissions required (chown and chmod options required for > directory level and file contents level) for that module / process to > operate. (6) Explicit error messages on stdout when a module or process > encounters a directory or file permission problem. > > This would enhance everyone's ability to achieve a highly secure web2py > environment and not worry about problem creeping into the environment over > time -- since there is no requirement to fiddle with individual file-level > permissions. > > Would this be useful to anyone other than me? :) Thanks
I've already done exactly this for the Debian package of web2py. gluon goes to the standard python libraries directory in Debian (and its derivatives) and the script launching web2py makes some links and copies some of these directories if rocket is used. When using apache only VERSION, wsgihandler.py and routes.py must be copied to the directory where the application is stored. This is a production server using apache2: server:/var/web2py# ls applications deposit logs routes.py site-packages VERSION wsgihandler.py I use the -f option to do this, and works ok, excepting for this bug: http://code.google.com/p/web2py/issues/detail?id=791 If all these changes were made to the code, it would make things easier for me or other distribution maintainers. Regards. José L.
