Bug 813122 - Add the ability to enable hash randomization in mod_wsgi apps
Add the ability to enable hash randomization in mod_wsgi apps
Status: CLOSED UPSTREAM
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: mod_wsgi (Show other bugs)
6.8
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Web Stack Team
BaseOS QE - Apps
:
Depends On: 812398
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-16 20:57 EDT by Luke Macken
Modified: 2016-09-19 22:47 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 812398
Environment:
Last Closed: 2016-07-28 07:15:58 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Luke Macken 2012-04-16 20:57:54 EDT
+++ This bug was initially created as a clone of Bug #812398 +++

The latest version of Python supports hash randomization.

http://mail.python.org/pipermail/python-list/2012-April/1290792.html

For webapps deployed with mod_wsgi, it's not trivial to enable this feature to secure your webapp.

I first attemped to enable this feature by modifying apache's init script (https://fedorahosted.org/fedora-infrastructure/ticket/3169). This approach is not ideal, because it adds Python-specific options to the Apache init script, which tends to be distro-specific anyway.

The ideal solution is to add an option to mod_wsgi that allows the user to enable hash randomization. I wrote a patch that adds a WSGIHashSeed option, and sent it upstream.

https://groups.google.com/d/msg/modwsgi/TFJYMJ30Q7w/I4C8JhUv8ScJ

SRPM with patch: http://lmacken.fedorapeople.org/rpms/mod_wsgi-3.3-3.fc18.src.rpm
Comment 2 Joe Orton 2015-07-28 09:36:35 EDT
Any idea why adding PYTHONHASHSEED=random to /etc/sysconfig/httpd is not sufficient?
Comment 4 Luke Macken 2016-02-29 16:56:58 EST
(In reply to Joe Orton from comment #2)
> Any idea why adding PYTHONHASHSEED=random to /etc/sysconfig/httpd is not
> sufficient?

It is sufficient, but not ideal. I'm fine with closing out this bug if you would like, but we're still shipping very old mod_wsgi in RHEL7, which has a proper configuration directive for this.

Note You need to log in before you can comment on or make changes to this bug.