Return-Path: <new-httpd-owner-new-httpd-archive=hyperreal.org@apache.org>
Delivered-To: new-httpd-archive@hyperreal.org
Received: (qmail 26164 invoked by uid 6000); 17 Aug 1999 17:12:51 -0000
Received: (qmail 26158 invoked from network); 17 Aug 1999 17:12:50 -0000
Received: from tcsfw-1.tcs-sec.com (HELO tcs-sec.com) (208.219.129.41)
  by taz.hyperreal.org with SMTP; 17 Aug 1999 17:12:50 -0000
Received: (from uucp@localhost) by tcs-sec.com (8.8.7/8.6.9) id MAA26512 for
 <new-httpd@apache.org>; Tue, 17 Aug 1999 12:11:45 -0400
Received: from unknown(192.168.1.14) by tcsfw-1.tcs-sec.com via smap (V1.3)
	id (null); Tue Aug 17 12:11:34 1999
Message-Id: <3.0.32.19990817130002.00c0d538@lambic>
X-Sender: wojtowij@lambic
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Tue, 17 Aug 1999 13:00:03 -0400
To: new-httpd@apache.org
From: John Wojtowicz <wojtowij@tcs-sec.com>
Subject: RE: different users under Apache?
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

At 06:28 PM 8/16/99 +0530, you wrote:
>Yes, I agree Martin, I am marking it to new-httpd for
>further dicussion/implementation.
>
>In brief, to new-httpd:
>	Martin wants the virtual hosts to be able to run as different 
>	system users (other than the main server User), not only for 
>	script execution(with suEXEC) but ALSO for normal file access.
>

This is definitely an interesting concept, however, I don't know if it
is more secure.  Correct me if I'm wrong but the basis for security that 
currently exists in Apache is based on the fact that
the listening processes are not executing as root.

To do what you're proposing in the simplest manner would likely require 
the listening processes to be exec()'d as root.  This would probably
not be an acceptable solution. 

Or the listening processes would have to ONLY service one particular
ip/port pair.  Again, correct me if I'm wrong but, this would
probably require a big change to the code that handles making the 
children processes.

And this all ignores any thing you might want to do with listening 
threads in the future.  Which would probably make dealing with
different process UID's trickier.

All this is a bit easier to secure up, when you're working on a 
"Trusted" Unix OS, (which handles privileges differently than 
"conventional" Unix Systems).  But thats a whole other story.
I've actually ported Apache to Trusted Solaris 2.5.1, and have secured
it up quite well by modifying it to take advantage of
network labels, and the principle of least privilege.  

Owell just some thoughts on Apache security and running different
vhosts as different users.

John


--
John Wojtowicz, Secure Systems Engr.  ph:    (703) 318-7134
Trusted Computer Solutions, Inc.      fax:   (703) 318-5041
13873 Park Center Rd. Suite 225       email: jwojtowicz@tcs-sec.com
Herndon, VA  20171                    http://www.tcs-sec.com/