On 06.02.2014 01:58, Paul Wise wrote: > On Thu, Feb 6, 2014 at 8:43 AM, Paul Wise wrote: > >> Which CGI are we talking about? Perhaps we can give more specific advice. > > I guess you mean Online Python Tutor (#737732). > > Looking at the git repo, it includes a lot of embedded code copies of > various JavaScript libraries and other code. As per policy 4.13 those > should be packaged separately. > > https://wiki.debian.org/EmbeddedCodeCopies > > I see some places where it uses os.system(). That should switch to > using the subprocess module with shell disabled. > > The idea of this software is a bit concerning to me, it sounds like it > runs arbitrary Python code on the server and passes the results back > to the web. I would suggest auditing it to ensure that it isn't one > giant security hole. Please get CVEs for any issues that you find. > > http://oss-security.openwall.org/wiki/disclosure/cve >
A possible way to sandbox this could be to use apparmor, I use that to isolate ipython-notebook instances which also allow execution of arbitrary python code on the host. Its relatively easy to setup though it can be tricky to isolate multiple users. If you don't need that its probably the simplest solution. Packaging apparmor profiles should be straightforward too, see dh_apparmor. Other options might be selinux or lxc containers, but I have no experience with these. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52f821ac.9030...@googlemail.com
