httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Barrett" <>
Subject Setuid Apache revisited
Date Thu, 25 May 2000 21:58:06 GMT
Stephen Misel suggested a patch to apache that would let apache run as root and use seteuid/setegid
per request to assume the
uid/gid of a virtual host. Was there a patch ever posted, or has an equivalent solution been
proposed ?? I'm working on the same
idea for 1.3.12 to support a large scale virtual hosting system where php and mod_perl will
be used extensivly, and the current
apache provides no means to secure scripting modules of this type, they run as the apache
uid/gid, which is IMO as big a security
hole as any possibility of a buffer over-run in a root process (as mentioned by Marc Slemko
in his reply to the origninal post).

If there has been no further work on this concept, could someone a bit more up on apache internals
at least point me to the right
locations to handle the uid/gid switching in the request process. I've already patched the
user/group directive handling and the
ap_call_exec function to honor the virtual server uid/gid (incidentally eliminating the need
for suexec to handle external CGI
securely). All thats left is the protection for normal requests. I would presume that the
change would need to take place as quickly
after the virtual host has been identified as possible, but I'm having a hard time figuring
out the right place in the 1.3.12 source
tree to do this.

Thanks in advance for any help :)

John Barrett
InterSite Technologies

=== Original Posts ===

On Mon, 15 Nov 1999, Stephen Andrew Misel wrote:
>The processes wait for connections as root, and once a connection
>has been made, it calls setegid() and seteuid() for the User and
>Group specified in the conf file for that VirtualHost. If the
>request is a non CGI (or SSI, etc) the request is handled and that
>process does a setegid() and seteuid() back to root to wait for
>the next request.

>In the event we're dealing with a CGI and need to fork(), the
>setegid() and seteuid() are back to root, at which point it calls
>setgid() and setuid() to assume the user's real identity (verses
>effective), and then forks off the child. Of course, when the
>request is complete, it assumes root again and waits in the free

>I see the security implications here as minimal, as long as the
>server makes a confirmation that it's uid/gid change was successful
>before serving documents or running CGI's (otherwise they'd run as
>root, bad bad). Am I correct?

No. Running the server in that manner means that any bug in the server
(eg. buffer overflow) will allow a root compromise. That is not a
very good thing and, because of that, I'm doubtful that such code has
a place in the Apache distribution.

Sure, it is convenient. But it is also quite risky.

View raw message