tags:

views:

95

answers:

2
Q: 

How to chroot Django

Can one run Django in a chroot? Notably, what's necessary in order to set up (for example) /var/www as a chroot'd directory and then have Django run in that chroot'd directory?

Thank you - I'm grateful for any input.

+1  A: 

You will have to add a Python interpreter to that directory and add Django to it ofcourse.

After you've got the environment set-up you will have to create a wrapper script that does something like os.chroot('/var/www/') and you're done :)

To create a sandboxed/chrooted environment for Python try one of the following options: http://wiki.python.org/moin/How%20can%20I%20run%20an%20untrusted%20Python%20script%20safely%20(i.e.%20Sandbox)?highlight=%28chroot%29 The PyPy option seems to be getting popular since Google started using it with the App-Engine.

WoLpH  2010-03-25 01:17:36
@WoLpH: Thanks for the info - that link's broken, though.
Brian M. Hunt  2010-03-25 02:49:39
@Brian M. Hunt: the link is fixed again, stackoverflow didn't like the ) in the link ;)
WoLpH  2010-03-25 19:52:26
@WoLpH: Great - thanks! That PyPy option is really *very* interesting - thanks.
Brian M. Hunt  2010-03-30 03:41:00
+2  A: 

There are many reasons mod_wsgi is preferred for Python web app deployment. One is stability, another is the variety of configuration options... one of which is ability to chroot the mod_wsgi daemon (starting with version 3.00).

The chroot option is not yet documented for the WSGIDaemonProcess directive at http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIDaemonProcess but there is enough documentation in Changes in Version 3.0.

You can also read a disussion of the feature at http://code.google.com/p/modwsgi/issues/detail?id=106

Van Gale  2010-03-25 02:07:10
@Van Gale - Thanks - handy reference. We're not using Apache, but Lighttpd (maybe Nginx someday). Is there an equivalent configuration option for Lighttpd that you're aware of (I'm looking now, too)?
Brian M. Hunt  2010-03-25 02:48:54
Err, well if you're using lighttpd you're probably also using flup (... and now you have 2 problems ... bada boom ...) fastcgi which means you should be able to have your fastcgi startup/init.d script do the chroot as suggested by WoLpH (although it may be in a shell script instead of python).
Van Gale  2010-03-25 16:21:43

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security