I'm hosting a simple wsgi application on httpd over CentOS 7 using mod_wsgi and trying to remove the isolation illustrated below.

The wsgi app,

The following script is my wsgi application.

• it creates a file called /tmp/test-wsgi.txt
• enumerates the content of /tmp as a simple json list

code:

def application(environ, start_response):
    status = '200 OK'
    headers = [('Content-Type', 'application/json')]
    start_response(status, headers)

    with open('/tmp/test-wsgi.txt', 'w+') as w:
        w.write('hello world')

    files = os.listdir('/tmp')
    return json.dumps(files)

When i'm accessing my web application i'm getting the following response

["test-wsgi.txt"]

Great so far!

However,

Connected to the same hosting server as root,

I've opened a shell and executed cat /tmp/test-wsgi.txt

From playing around with it, seems that any filesystem operation (enumeration/creation/socket access) inside my wsgi script is "environmently isolated" (like chroot jail). the strange thing is i haven't configured any of that type of isolation.

httpd config

/etc/httpd/conf.d/my-app.conf

<VirtualHost *:80>

DocumentRoot /opt/my-app/

WSGIScriptAlias / /opt/my-app/apache/wsgi.py

<Directory /opt/my-app/apache>
    Order allow,deny
    Allow from all
    Require all granted
</Directory>

</VirtualHost>

/etc/httpd/conf/httpd.conf

...

User apache
Group apache

...