Re: Securing Django Installation - file permissions?

2010-01-06 Thread Daniel Hirsch 
Thank you for the response Daniel. That was more-or-less what I
*thought* but it was great to be able to pass the information on to
him from a 3rd party. That said, is there anything I should be doing
from a practical standpoint as far as setting file permissions in my
project directories? Things that should be locked down or should not
be?

On Jan 5, 3:30 pm, Daniel Roseman  wrote:
> On Jan 5, 11:12 pm, Daniel Hirsch  wrote:
>
>
>
>
>
> > Hi everyone,
>
> > We just launched our first django application into production and my
> > server admin is hounding me about its security. He claims that python
> > is vulnerable to scripting by the URL, which I quite honestly have no
> > clue about.
>
> > So, my question to you is two-fold:
>
> > 1 - What are the likely and potential vulnerabilities of a django
> > installed running under mod_wsgi on Apache on Red Hat Enterprise?
> > 2 - What the best practices for securing a installation?
>
> > I've searched the documentation and didn't find much mention of any of
> > this, so if there is a good source, please point me to it and I'll be
> > out of your hair.
>
> > Much appreciated!
>
> > Daniel Hirsch
>
> Your sysadmin doesn't sound like he knows what he's talking about,
> unfortunately.
>
> Firstly, none of the Python code - either Django or your app - should
> be in the server root or anywhere that Apache serves. mod_wsgi doesn't
> run arbitrary Python files depending on the URL, as your sysadmin
> seems to think, but dispatches URLs to a separate long-running
> process. If hackers are able to gain access to your server, install
> malicious Python files in an area not accessible by Apache, and then
> change the WSGI application or the Django URLconf to run them, then to
> be honest you have problems that are well beyond Django's
> responsibility.
>
> Perhaps he is under the mistaken impression that Django is some sort
> of CGI app?
> --
> DR.
-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Securing Django Installation - file permissions?

2010-01-05 Thread Daniel Roseman 
On Jan 5, 11:12 pm, Daniel Hirsch  wrote:
> Hi everyone,
>
> We just launched our first django application into production and my
> server admin is hounding me about its security. He claims that python
> is vulnerable to scripting by the URL, which I quite honestly have no
> clue about.
>
> So, my question to you is two-fold:
>
> 1 - What are the likely and potential vulnerabilities of a django
> installed running under mod_wsgi on Apache on Red Hat Enterprise?
> 2 - What the best practices for securing a installation?
>
> I've searched the documentation and didn't find much mention of any of
> this, so if there is a good source, please point me to it and I'll be
> out of your hair.
>
> Much appreciated!
>
> Daniel Hirsch

Your sysadmin doesn't sound like he knows what he's talking about,
unfortunately.

Firstly, none of the Python code - either Django or your app - should
be in the server root or anywhere that Apache serves. mod_wsgi doesn't
run arbitrary Python files depending on the URL, as your sysadmin
seems to think, but dispatches URLs to a separate long-running
process. If hackers are able to gain access to your server, install
malicious Python files in an area not accessible by Apache, and then
change the WSGI application or the Django URLconf to run them, then to
be honest you have problems that are well beyond Django's
responsibility.

Perhaps he is under the mistaken impression that Django is some sort
of CGI app?
--
DR.
-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Securing Django Installation - file permissions?

2010-01-05 Thread Daniel Hirsch 
Hi everyone,

We just launched our first django application into production and my
server admin is hounding me about its security. He claims that python
is vulnerable to scripting by the URL, which I quite honestly have no
clue about.

So, my question to you is two-fold:

1 - What are the likely and potential vulnerabilities of a django
installed running under mod_wsgi on Apache on Red Hat Enterprise?
2 - What the best practices for securing a installation?

I've searched the documentation and didn't find much mention of any of
this, so if there is a good source, please point me to it and I'll be
out of your hair.

Much appreciated!

Daniel Hirsch
-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.