httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason S. Clary" <jcl...@futurefx.com>
Subject Re: Using the PUT method with Apache
Date Tue, 25 Feb 1997 18:29:01 GMT
> I am very scared by what certain servers that implement nifty things like
> PUT and web accessable configuration interfaces do; some even suggest
> running your server as root to avoid any problems.  

I've been wondering about this, actualy...  I've been considering doing some
patchwork to Apache for this particular sort of thing.. It would be fairly
complicated and require patches to several modules..

wu_ftpd runs as root without security difficulties because it switches users
prior to responding to any requests.. But this allows it to act on behalf of
the
user in question (allowing for greater security on a shell system)  I like to
keep all my home directories secured from browsing but this makes Apache
not able to read the public_html directory...  I've seen some very good
applications
that use a feature (unfortunately I think its only available on linux) where
you can
change the effective permissions for the DISK ACCESS ONLY.. which is quite
nice...  The process is still root (avoiding users being able to kill the
process)
but it gets permission errors accessing any files other than those available
to
the particular user using the service.  This, of course, would require
modifications
to the CGI handler so that it runs CGI's as the user who owns the CGI
directory
(or maybe as whoever owns the CGI itself..)  If you want to avoid accidental
security problems because of this you can do a scan on startup of all CGI
dirs and report the security problem if any are owned by root.

I've actualy got some basic patches like this to 1.1.3 that I use.  It runs
as root w/ file access set to www when pulling any files under the document
root and it alters its permissions to access as the user in question when
doing userdirs.  It runs all CGI's setruid()/setrgid() to a user set in the
access.conf (a DirOwner directive I added)

Still, that makes things like mod_php a pain..  It would take some fairly
fundamental core changes to do it right overall.

Unfortunately I am pretty sure this feature of being able to change the
effective UID for disk access ONLY is exceptionaly non-portable.
I've only seen linux specific stuff using it, but maybe I'm wrong...
Switching effective only might work, and then forking and setting real for
CGI runs so the main httpd process runs as root, the children run as
effective
for whatever web they are accessing, and CGI's run real for whatever web they
are running from.

It would take a VERY keen eye for security to implament this and a lot of
time and testing.

> Two of the projects I am thinking about when I have time are a reasonably
> secure PUT handler (external setuid binary, gets user password on stdin
> and verifies it itself) with an idea of trying to get it into the base
> distribution (would need hooks in the source...) and doing a web based
> configuration interface; probably a seperate admin server process like
> most do it, let the user start it by just typing "httpd -config" and
> loading their web browser.
> 
> Both involve doing root-only things that have to be done securely.  Not
> sure I will ever get to any of these, but...

Mime
View raw message