Re: Best-practice / howto packaging of CGI-based Web app ?
On 06.02.2014 01:58, Paul Wise wrote:
> On Thu, Feb 6, 2014 at 8:43 AM, Paul Wise wrote:
>
>> Which CGI are we talking about? Perhaps we can give more specific advice.
>
> I guess you mean Online Python Tutor (#737732).
>
> Looking at the git repo, it includes a lot of embedded code copies of
> various JavaScript libraries and other code. As per policy 4.13 those
> should be packaged separately.
>
> https://wiki.debian.org/EmbeddedCodeCopies
>
> I see some places where it uses os.system(). That should switch to
> using the subprocess module with shell disabled.
>
> The idea of this software is a bit concerning to me, it sounds like it
> runs arbitrary Python code on the server and passes the results back
> to the web. I would suggest auditing it to ensure that it isn't one
> giant security hole. Please get CVEs for any issues that you find.
>
> http://oss-security.openwall.org/wiki/disclosure/cve
>
A possible way to sandbox this could be to use apparmor, I use that to
isolate ipython-notebook instances which also allow execution of
arbitrary python code on the host.
Its relatively easy to setup though it can be tricky to isolate multiple
users. If you don't need that its probably the simplest solution.
Packaging apparmor profiles should be straightforward too, see dh_apparmor.
Other options might be selinux or lxc containers, but I have no
experience with these.
Reply to: