Hi,

I'll probably be starting on my first Python web application soon. With PHP, I always set a bunch of security-related settings, e.g.:

php_admin_value[disable_functions] = apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode, symlink

As well as open_basedir and disabling version information/error logging once things go live.. nginx also requires something like this in the PHP-FPM block:

try_files $uri =404;

Does Pyhon/UWSGI with Nginx require similar settings? I want to prevent python from being able to execute shell commands and access files outside of the allowed paths. (I'm assuming webhosts must have something similar since they don't want users to access the files of other users in a shared hosting environment).

Thanks!

PHP has a whole set of security issues that aren't present in most other languages, including Python, and disabling functions is one way to mitigate those problems.

You can't easily disable functions in Python but it shouldn't really be necessary. There is at least one specific function that is a bad idea to call from a Python web app, namely eval(), and then a large set of functions where you need to be very very careful to make sure the function parameters are sanitized if they contain any user input, for example any functions in the os module.

For Python you mostly need to be aware of the OWASP Top 10 vulnerabilities and how to prevent them.

For uWSGI specifically I can't say, but anything special there should be discussed in uWSGI documentation.

My main concern was that I didn't want users to perform shell commands and access stuff outside of the allowed paths - e.g. untrusted users. On IRC I got the advice to look into namespaces, which seems to be what I am looking for. This simply jails the application/vhost into their own environment so they can't get to anything else.

Thanks !