python,flask,Web应用程序安全 [英] python, flask, web app security
问题描述
在Flask上部署时,我想从Web应用程序编辑sqlite数据库,并且遇到chmod权限问题,因此我只是使整个目录可供root以外的用户访问,但这是安全的,也许我应该创建一个www和root的访问权限是单独的组,并且只允许该root和www的组访问该文件夹,但是,如果我仅使用flask和apache chmod777制作要部署到的文件夹,这是否存在安全漏洞,没有人可以访问该文件夹无论如何,都是通过apache进行的,这样就不会使我的网络应用容易受到攻击吗? 谢谢-
when deploying on flask I want to edit the sqlite database from the web app and I ran in to chmod permission problems so I just made the entire directory accessible to users other than root, but is this secure, probably I should create a separate group for the www access and root access and only allow that group of root and www to access the folder, but is it a security vulnerability if I simply make the folder that I deploy to with flask and apache chmod777, no one could access that anyways right through apache so it wouldn't make my web app vulnerable to attack right? thx -
推荐答案
我遇到了chmod权限问题,所以我只做了整个 该目录可供root以外的用户访问,但这是安全的
I ran in to chmod permission problems so I just made the entire directory accessible to users other than root, but is this secure
不,这绝对是不安全的.现在每个人都可以访问您的数据库.
No, this is definitely not secure. Now everyone has access to your database.
可能我应该为www访问和root创建一个单独的组 访问,并且只允许该组根目录和www访问该文件夹
probably I should create a separate group for the www access and root access and only allow that group of root and www to access the folder
您需要执行以下操作,但是分发管理程序包经理应该已经解决了这一问题:
You need to do the following, but this should already be taken care of by the package manager for your distribution:
- 创建一个将用于运行Web服务器的用户.
- 以root用户身份启动Web服务器(您必须执行此操作,因为它将在< 1024端口上侦听),然后 将过程切换到您在#1中创建的用户
- 确保该用户的任何静态资产(javascript文件,css文件,图像,样式表等)均为只读,对您自己的用户具有读/写访问权限,而所有其他资产均仅对读权限.
- Create a user that will be used to run the web server.
- Launch the webserver as root (you have to do this, since it will listen on ports < 1024), and then switch the process to the user you created in #1
- Make sure any static assets (javascript files, css files, images, stylesheets, etc.) are read only for this user, have read write access for your own user, and all others have read access only.
您的代码应位于单独的目录中,只能由您自己的用户访问,而不能由Web服务器进程访问.
Your code should be in a separate directory, only accessible by your own user and NOT accessible by the web server process.
在任何情况下,您都不得做以下任何事情:
Under no circumstances, should you EVER do any of the following:
- 将您的Web应用程序中使用的任何目录的权限更改为
777 - 将您的代码放在用于静态文件的同一目录中.
这篇关于python,flask,Web应用程序安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
