Flask app with chrooted httpd

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Flask app with chrooted httpd

Thuban
Hi,
Did anyone use httpd to serve a flask app (python)?
I found this [1], but its a little outdated (python < 3) and makes me
wonder about safety, because of all those dependencies copied in chroot.

Any advice ?

Regards

--
    thuban

Reply | Threaded
Open this post in threaded view
|

Re: Flask app with chrooted httpd

Thuban
I forgot the link, my bad:

[1] : http://www.hydrus.org.uk/journal/openbsd-httpd.html

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Flask app with chrooted httpd

Pedro Tender-2
Why not a virtualenv? Just don’t use system python that need packages on
applications anywhere on anything.

On Mon, 12 Feb 2018 at 20:56, Thuban <[hidden email]> wrote:

> I forgot the link, my bad:
>
> [1] : http://www.hydrus.org.uk/journal/openbsd-httpd.html
>
Reply | Threaded
Open this post in threaded view
|

Re: Flask app with chrooted httpd

Kevin Chadwick-4
In reply to this post by Thuban
On Mon, 12 Feb 2018 14:42:53 +0100


> Did anyone use httpd to serve a flask app (python)?
> I found this [1], but its a little outdated (python < 3) and makes me
> wonder about safety, because of all those dependencies copied in
> chroot.
>
> Any advice ?

It seems python requires RWX mem by default. Ridiculous considering it
is a relatively new tool. Relegates it to, avoid for anything important
for me.

If you still wish to use it, you will likely need to add the wxallowed
mount option to the partition your chroot is on these days. Otherwise
you will see messages about the kernel killing it in /var/log/messages

There was a recent discussion about a non wrx port, not sure what
that would break or not or maybe just affect performance.

Reply | Threaded
Open this post in threaded view
|

Re: Flask app with chrooted httpd

Stuart Henderson
On 2018-02-12, Kevin Chadwick <[hidden email]> wrote:

> On Mon, 12 Feb 2018 14:42:53 +0100
>
>
>> Did anyone use httpd to serve a flask app (python)?
>> I found this [1], but its a little outdated (python < 3) and makes me
>> wonder about safety, because of all those dependencies copied in
>> chroot.
>>
>> Any advice ?
>
> It seems python requires RWX mem by default. Ridiculous considering it
> is a relatively new tool. Relegates it to, avoid for anything important
> for me.

Python itself does not need WX mappings.

Some native-code extensions need it so the executable has to be marked in
this way otherwise those extensions can't be used.

If we had similar extensions for perl (they exist but not currently in
ports), perl (and thus /usr) would need this treatment too.

> If you still wish to use it, you will likely need to add the wxallowed
> mount option to the partition your chroot is on these days. Otherwise
> you will see messages about the kernel killing it in /var/log/messages

Right.