httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From n..@apache.org
Subject svn commit: r724959 - /httpd/httpd/trunk/docs/manual/mod/mod_privileges.xml
Date Wed, 10 Dec 2008 02:26:48 GMT
Author: niq
Date: Tue Dec  9 18:26:48 2008
New Revision: 724959

URL: http://svn.apache.org/viewvc?rev=724959&view=rev
Log:
Add security section to mod_privileges docs

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_privileges.xml

Modified: httpd/httpd/trunk/docs/manual/mod/mod_privileges.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_privileges.xml?rev=724959&r1=724958&r2=724959&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_privileges.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_privileges.xml Tue Dec  9 18:26:48 2008
@@ -58,6 +58,92 @@
 
 </summary>
 
+<section id="security"><title>Security Considerations</title>
+<p>There are three principal security concerns with mod_privileges:</p>
+<ul><li>Running as a system user introduces the same security issues
+    as mod_suexec, and near-equivalents such as cgiwrap and suphp.</li>
+<li>A privileges-aware malicious user extension (module or script)
+    could escalate its privileges to anything available to the
+    httpd process in any virtual host.</li>
+<li>A privileges-aware malicious user extension (module or script)
+    could escalate privileges to set its user ID to another
+    system user (and/or group).</li>
+</ul>
+
+<p>The first is amply discussed in the suexec page and elsewhere, and
+doesn't need repeating here.  The second and third boil down to one
+principle: ensure no untrusted privileges-aware code can be loaded.
+</p>
+
+<p>There are several ways privileges-aware code could be loaded into Apache:</p>
+<ul>
+<li>within the base system (e.g. mod_privileges itself if statically linked).</li>
+<li>Loaded at startup using a LoadModule or LoadFile directive.</li>
+<li>Loaded at startup indirectly by an application module such as mod_php.</li>
+<li>Loaded at runtime by an application module or script.</li>
+</ul>
+
+<p>What gets loaded at startup is under the control of the sysop, and
+relatively easy to deal with.  A tool will be provided to audit your
+installation.  That leaves code loaded in the course of processing a
+request as the threat.  There is unfortunately no generic way apache
+can control what a script running under an application module can load,
+so you should use the security provided by your scripting module
+and language.</p>
+
+<section><title>Security with mod_php</title>
+
+<p>There is no known PHP extension supporting Solaris privileges, so it
+is unlikely that a script could escalate privileges unless it can
+load external (non-PHP) privileges-aware code.  However, you should
+nevertheless audit your mod_php installation.</p>
+
+<p>To prevent scripts loading privileges-aware code, PHP's dl() function
+should be disabled.  This is automatic in safe mode.</p>
+
+</section>
+
+<section><title>Security with mod_perl</title>
+
+<p>Perl has an extension Sun::Solaris::Privileges that exposes the privileges
+API to scripts.  You should ensure this extension is NOT installed if you
+have untrusted users.</p>
+
+<p>You will also need to ensure that your users cannot load shared objects
+(including PerlXS) from their own user directories, or that if this is
+enabled, the entire user-space must be carefully audited.</p>
+</section>
+
+<section><title>Security with mod_python</title>
+
+<p>There is no known Python extension supporting Solaris privileges, so it
+is unlikely that a script could escalate privileges unless it can
+load external (non-Python) privileges-aware code.  However, you should
+nevertheless audit your mod_ruby installation.</p>
+
+<p>*** What are the issues of Python loading a shared object?</p>
+</section>
+
+<section><title>Security with mod_ruby</title>
+
+<p>There is no known Ruby extension supporting Solaris privileges, so it
+is unlikely that a script could escalate privileges unless it can
+load external (non-Ruby) privileges-aware code.  However, you should
+nevertheless audit your mod_ruby installation.</p>
+
+<p>*** What are the issues of Ruby loading a shared object?</p>
+</section>
+
+<section><title>Security with Lua/mod_wombat</title>
+
+<p>???</p>
+</section>
+<section><title>Security with scripts</title>
+<p>The security issues of mod_privileges do not affect scripts such as
+traditional CGI, which run in a separate process.  That includes
+PHP, Perl, Python, Ruby, etc, run out-of-process.</p>
+</section>
+</section>
 <directivesynopsis>
 <name>VHostUser</name>
 <description>Sets the User ID under which a virtual host runs.</description>



Mime
View raw message