2

I'm very new to web server and I would like to propose to my users the capability to use Python through my website.

My main problem is that Python is not harmless, even if it is armless (sorry for this very bad play on words). So I need to use a kind of sandbox but for me this is more a concept than a technic that I can use it.

So what would be the best way to do that ?

Improve this question

2 Answers 2

Reset to default
2

Sandboxing

You will need support from the operating system to effectively sandbox an application.

  • On FreeBSD, you can use a jail. This has proven to be quite secure over the years. (While there have been vulnerabilities in this system, the concensus is that it is not possible for a program to break out of a jail without outside help. <1>)
  • On Linux you can use LXC.
  • On MS-Windows you could use sandboxie.

Have a look at the comparison of virtualization technologies before deciding what to do. Personally I'd suggest only using technologies that offer "root privilege isolation".

Another possibility would be to use a virtual machine. But that would probably have more overhead.

And no matter what you use, you still need the firewall on the host to redirect some traffic to the sandbox/virtual machine.

Python security

CPython itself

The source code for the standard CPython is regularly audited by coverity. In their 2012 scan they found 0.005 defects in 1000 lines of code. The average for open source projects is 0.69 defects per 1000 lines, and 1 defect/1000 lines is accepted as a good industry standard.

So CPython itself doesn't have many defects.

Web programming with Python

The OWASP Python security project has identified security concerns in the CPython source code, as well as security concerns in modules and functions.

The built-in eval() function deserves special mention here. It executes the Python code given to it as a string without check or boundaries. So while it is sometimes very useful, this function should never ever be given untrusted input from the web! For instance, don't be tempted to use it to give your web app a built in calculator.

Their top-10 list of web app vulnerabilities also makes for interesting reading.

<1> From the documentation;

Jails are a powerful tool, but they are not a security panacea. While it is not possible for a jailed process to break out on its own, there are several ways in which an unprivileged user outside the jail can cooperate with a privileged user inside the jail to obtain elevated privileges in the host environment.

Most of these attacks can be mitigated by ensuring that the jail root is not accessible to unprivileged users in the host environment. As a general rule, untrusted users with privileged access to a jail should not be given access to the host environment.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You can run a cgi enabled server on the local machine with a single command:

python -m http.server 8000 --cgi

It will serve whatever is in the working directory that you executed the command.

You can browse the pages served by pointing your browser to localhost:8000

If you are using python 3.4 or later, you can restrict this to the local interface so that no one from the outside can access the pages:

python -m http.server 8000 --cgi --bind 127.0.0.1
Improve this answer

1 Comment

Sorry for my misunderstanding but how I can do to attach a working directory specifically to a user that will use my website.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.