Bug 813122

Summary: Add the ability to enable hash randomization in mod_wsgi apps
Product: Red Hat Enterprise Linux 6 Reporter: Luke Macken <lmacken>
Component: mod_wsgiAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED UPSTREAM QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.8CC: dmalcolm, jokajak, jorton, jrusnack, lmacken, mrunge, pfrields
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 812398 Environment:
Last Closed: 2016-07-28 11:15:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 812398    
Bug Blocks:    

Description Luke Macken 2012-04-17 00:57:54 UTC 
+++ This bug was initially created as a clone of Bug #812398 +++

The latest version of Python supports hash randomization.

http://mail.python.org/pipermail/python-list/2012-April/1290792.html

For webapps deployed with mod_wsgi, it's not trivial to enable this feature to secure your webapp.

I first attemped to enable this feature by modifying apache's init script (https://fedorahosted.org/fedora-infrastructure/ticket/3169). This approach is not ideal, because it adds Python-specific options to the Apache init script, which tends to be distro-specific anyway.

The ideal solution is to add an option to mod_wsgi that allows the user to enable hash randomization. I wrote a patch that adds a WSGIHashSeed option, and sent it upstream.

https://groups.google.com/d/msg/modwsgi/TFJYMJ30Q7w/I4C8JhUv8ScJ

SRPM with patch: http://lmacken.fedorapeople.org/rpms/mod_wsgi-3.3-3.fc18.src.rpm
Comment 2 Joe Orton 2015-07-28 13:36:35 UTC 
Any idea why adding PYTHONHASHSEED=random to /etc/sysconfig/httpd is not sufficient?
Comment 4 Luke Macken 2016-02-29 21:56:58 UTC 
(In reply to Joe Orton from comment #2)
> Any idea why adding PYTHONHASHSEED=random to /etc/sysconfig/httpd is not
> sufficient?

It is sufficient, but not ideal. I'm fine with closing out this bug if you would like, but we're still shipping very old mod_wsgi in RHEL7, which has a proper configuration directive for this.