views:

1046

answers:

2

I'm writing a web-server in Python as a hobby project. The code is targeted at *NIX machines. I'm new to developing on Linux and even newer to Python itself.

I am worried about people breaking out of the folder that I'm using to serve up the web-site. The most obvious way to do this is to filter requests for documents like /../../etc/passwd. However, I'm worried that there might be clever ways to go up the directory tree that I'm not aware of and consequentially my filter won't catch.

I'm considering adding using the os.chroot so that the root directory is the web-site itself. Is this is a safe way of protecting against these jail breaking attacks? Are there any potential pitfalls to doing this that will hurt me down the road?

+5  A: 

Yes there are pitfalls. Security wise:

  1. If you run as root, there are always ways to break out. So first chroot(), then PERMANENTLY drop privileges to an other user.
  2. Put nothing which isn't absolutely required into the chroot tree. Especially no suid/sgid files, named pipes, unix domain sockets and device nodes.

Python wise your whole module loading gets screwed up. Python is simply not made for such scenarios. If your application is moderately complex you will run into module loading issues.

I think much more important than chrooting is running as a non privileged user and simply using the file system permissions to keep that user from reading anything of importance.

mdorseif
Do you know how virtualenv plays with chroot-ed environments? http://pypi.python.org/pypi/virtualenv
Alabaster Codify
A possible solution to module loading is to have all the modules inside the chroot, but nothing else.
orip
I was only "passively aware" of virtualenv and this is surely something to look into if you are goint to chroot.
mdorseif
+2  A: 

Check out Twisted. twistd supports privilege shedding and chroot operation out of the box. Additionally it has a whole framework for writing network services, daemons, and pretty much everything.

Kamil Kisiel