On 28.04.2019 21:42, aprekates wrote: > Experimenting with wsgi and python webapp dev > i came upon issues and roads to choose mainly > regarding to installation , deployment and security > related issues. > > sudo pip install .. or pip install > > is virtualenv secure or is just redicect trickery and > not a real chroot enviroment ? > > Should i make another user for developement ? > > I think by a little search to the net around similar questions thats > a doc from the community , endorsing some good practices for > developers could be of help. > > I've read > https://wiki.debian.org/DontBreakDebian#Using_chroot.2C_containers.2C_and_virtual_machines > but i thinks there are more questions. > > Thanks. > > I think it is a good practice in general to actually test if something bothers you. You can setup your virtualenv environment by the book in test VM, and create deliberately insecure python webapp to test how virtualenv will behave if you try to execute shell commands from a web-browser, try to steal passwords, execute SQL commands, read, write, execute arbitrary files, etc. Check out what username is used when you will do all that, what limitations and what options available for it. If your system will host a few websites (Virtual Hosts), test if you can access the information on any of them from another website or not. This way you can see how good the isolation is and its limitations and how to fix it and improve it.
WebDev IMO is hell with all those pip-s and npm-s out there pushing packages and modules and dependencies into your environment and you have to audit their code by yourself or blindly trust they are safe. You should read the documentation, research and test to get the answers for the every question you have. Understand how everything works internally. There are no step-by-step guides for security topics, because everything could be setup in myriad ways, constantly evolving and becoming so complex that there is almost never a straight answer for anything. -- With kindest regards, Alexander. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org ⠈⠳⣄⠀⠀⠀⠀
