[SAC] Re: Subject: [Technical Problem] can't register on trac

[Frank Warmerdam]

On Tue, Apr 10, 2012 at 1:26 AM, Martin Spott <Martin.Spott at mgras.net> wrote:
> I'm not fluent in Python, thus, even though I might be able to develop
> a programmatic fix for these scripts by myself, I'd appreciate someone
> else to take a stab at it who achieves a proper result more quickly.
> Leaving a significant security hole open just because we don't have the
> ressources to fix it properly isn't a good idea from my perspective.

Martin,

I wrote the scripts, and I moved them to where they are.

> As a short term solution for the Python scripts in question I'd propose to
> consider moving the LDAP credentials out of the main script(s) into a
> separate place which is not accessible from the web server - and to
> make use of some include directive in order to refer to these
> credentials from the respective Python scripts.

I don't really understand how we can put the credentials somewhere
not accessable from the web server but still accessable to the python
scripts which i presume run under the apache userid and permissions.

It seems to me that if the script can see them then apache can.
Or are you suggesting making the scripts setuid in some way?

BTW, you aren't suggesting that someone can just do an http fetch
to fetch the .py scripts, are you?

> An alternative might be to set a specific environment for the Python
> and then to refer to the values of environment variables for the
> credentials.

Once again, this doesn't seem any more secure to me.  Anyone who
can seize apache permissions will have it.  And pushing it into the
environment for the whole web environment seems to be asking for
problems.

Best regards,
-- 
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up   | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush    | Geospatial Software Developer