>> I didn't realize you could do shared hosting with mod_python, because >> of the lack of security barriers between Python objects (i.e. someone >> else's application could reach into yours). You really need a >> separate interpreter per user. > > mod_python uses sub-interpreters - can be per virtual server, per > directory etc, cf > http://www.modpython.org/live/current/doc-html/dir-other-ipd.html > http://www.modpython.org/live/current/doc-html/dir-other-ipdv.html Yes, but your mod_python programs still run with the privileges of the Apache process, as are all the other mod_python programs. This means that my mod_python program can (at least) read files belonging to you - including your config file holding your database password.
PHP solves this problem by using it's safe mode and basedir restrictions. Mod_python nor Python itself don't have this feature. There are sollutions for Apache that run each virtual host under a different uid but they have quirks: Metux MPM - http://www.metux.de/mpm/en/ mod_suid - for apache 1.3.x http://www.palsenberg.com/index.php/plain/projects/apache_1_xx_mod_suid mod_suid2 - for apache 2.0.x http://bluecoara.net/item24/cat5.html mod_ruid - seems to be an improvement of mod_suid2 http://websupport.sk/~stanojr/projects/mod_ruid/ But I see mod_python more as a way to extend Apache itself, than for running Python applications. A lot of the Apache mod_auth_* modules could be replaced with mod_python scripts. OTOH SCGI or FastCGI seem better sutied for python web (WSGI) applications. -- damjan -- http://mail.python.org/mailman/listinfo/python-list
