解决Python的共享服务器安全性问题 [英] Solving the shared-server security problem for Python

问题描述

因此，我的小组正在尝试为各种Web服务建立共享服务器环境.我认为我们已经决定在php.ini和php_admin_value中设置disable_functions和disable_classes站点宽度，以在每个应用程序的httpd.conf中强制open_basedir 适用于php脚本，而乘客的用户切换适用于红宝石脚本.

尽管如此，我们仍然需要为python找到一些东西.乘客确实支持python，但不支持特定子目录的按应用程序安全(在域级别完全或完全不支持).

有什么建议吗?

(如果以前的任何方法都没有意义-好吧，我是应该设置python支持的人，而不是应该设置php或ruby支持的人，所以仍然有一些然后从我的角度来看，发生了一些魔术".

解决方案

嗯，有一个名为的系统virtualenv ，可让您在某种安全的环境中运行Python，并即时配置/加载/关闭这些环境.我对此了解不多，但是您应该认真研究它；这是其网页上的描述(只需使用Google即可找到):

要解决的基本问题是依赖项和版本之一以及间接权限.假设您有一个需要LibFoo版本1的应用程序，但是另一个应用程序需要版本2.如果将所有内容都安装到/usr/lib/python2.4/site-packages(或平台的标准位置是什么)中，那么很容易在无意中升级不应升级的应用程序的情况下结束.

或更笼统地说，如果要安装应用程序并保留原样该怎么办?如果某个应用程序可以运行，则其库或这些库的版本中的任何更改都可能破坏该应用程序.

此外，如果无法将软件包安装到全局site-packages目录中怎么办?例如，在共享主机上.

在所有这些情况下，virtualenv都可以为您提供帮助.它创建了一个具有自己的安装目录的环境，该环境不与其他virtualenv环境共享库(也可以选择不使用全局安装的库).

So my group is trying to set up a shared-server environment for various and sundry web services. I think we've settled on setting disable_functions and disable_classes site wide in php.ini and php_admin_value to force open_basedir in each app's httpd.conf for php scripts, and passenger's user switching for ruby scripts.

We still need to find something for python though. Passenger does support python, but not for per-application security for specific sub-directories (it's all or nothing at the domain level).

Any suggestions?

(And if any of the previous doesn't make sense - well, I'm the guy who's supposed to set up the python support, not the guy who set up the php or ruby support, so there's still some "and then some magic happens" steps in there from my perspective).

解决方案

Well, there is a system called virtualenv which allows you to run Python in a sort of safe environment, and configure/load/shutdown these environments on the fly. I don't know much about it, but you should take a serious look into it; here is the description from its web page (just Google it and you'll find it):

The basic problem being addressed is one of dependencies and versions, and indirectly permissions. Imagine you have an application that needs version 1 of LibFoo, but another application requires version 2. How can you use both these applications? If you install everything into /usr/lib/python2.4/site-packages (or whatever your platform's standard location is), it's easy to end up in a situation where you unintentionally upgrade an application that shouldn't be upgraded.

Or more generally, what if you want to install an application and leave it be? If an application works, any change in its libraries or the versions of those libraries can break the application.

Also, what if you can't install packages into the global site-packages directory? For instance, on a shared host.

In all these cases, virtualenv can help you. It creates an environment that has its own installation directories, that doesn't share libraries with other virtualenv environments (and optionally doesn't use the globally installed libraries either).

这篇关于解决Python的共享服务器安全性问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！