Thank you for the response Daniel. That was more-or-less what I *thought* but it was great to be able to pass the information on to him from a 3rd party. That said, is there anything I should be doing from a practical standpoint as far as setting file permissions in my project directories? Things that should be locked down or should not be?
On Jan 5, 3:30 pm, Daniel Roseman <dan...@roseman.org.uk> wrote: > On Jan 5, 11:12 pm, Daniel Hirsch <two.oli...@gmail.com> wrote: > > > > > > > Hi everyone, > > > We just launched our first django application into production and my > > server admin is hounding me about its security. He claims that python > > is vulnerable to scripting by the URL, which I quite honestly have no > > clue about. > > > So, my question to you is two-fold: > > > 1 - What are the likely and potential vulnerabilities of a django > > installed running under mod_wsgi on Apache on Red Hat Enterprise? > > 2 - What the best practices for securing a installation? > > > I've searched the documentation and didn't find much mention of any of > > this, so if there is a good source, please point me to it and I'll be > > out of your hair. > > > Much appreciated! > > > Daniel Hirsch > > Your sysadmin doesn't sound like he knows what he's talking about, > unfortunately. > > Firstly, none of the Python code - either Django or your app - should > be in the server root or anywhere that Apache serves. mod_wsgi doesn't > run arbitrary Python files depending on the URL, as your sysadmin > seems to think, but dispatches URLs to a separate long-running > process. If hackers are able to gain access to your server, install > malicious Python files in an area not accessible by Apache, and then > change the WSGI application or the Django URLconf to run them, then to > be honest you have problems that are well beyond Django's > responsibility. > > Perhaps he is under the mistaken impression that Django is some sort > of CGI app? > -- > DR.
-- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
