httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Campbell <>
Subject Possible security enhancement to apache server
Date Tue, 26 Jun 2001 00:01:14 GMT

I would like to discuss with anybody who knows the internals of the
software the viability of an Apache server change along the following lines.
Verbose mode on.

Apache is mostly started by system scripts at boot time, and as such, is
started as root.  From there, it can change uid and gid down to user
nobody or whoever.
But in a situation where apache has to be restarted in a control-centre
environment where application services are monitored, apache still
needs to be started as root because it needs to be able to bind to low
ports (Unix requirement).  BUT if you want to run the control-centre
as a non-root user, the only option it would seem is to have some
sort of setuid program to start apache as root.  Then, if the control-centre
has the requirements to be able to write the apache config files, then
you're in a situation where the user under which apache runs has both
the ability to launch apache as root and also to reconfigure apache.
Together, this means that the user has the ability to get a root shell on
the system by configuring apache to do things that it shouldn't.

This opens up a can of worms with respect to security.  Many people
do this anyway.

I would like to propose a configurable option to Apache's bind process
that does something along the following lines.  The idea is this:  allow non-root
user processes to bind to low ports, but do it in a well-defined and fully
controllable way.  How?  Read on.

The technique is as follows:  instead of calling bind() directly from
Apache, optionally (given configuraiton options) invoke a function
delegate_bind() which has the same parameters as bind(), which if
binding to low ports, internally does a fork() and execs a setuid
root program that inherits the socket from its parent process and
does the bind of the socket to a low port.  Because the socket in
the child process is the same as the socket in the parent process,
the bind done in the child process does bind the socket in the
parent process.  The child process then exits returning status etc.
This setuid program can check a configuration file in /etc to see
whether the invoking user is allowed to do the bind to the particular
port, and deny them if not allowed.

I have a working implementation of the above (not integrated into
apache) at:   (3k)

I'm quite happy to try to integrate the above into Apache sources,
but would there be interest from the powers that be to include the
above into the apache distribution?

Does anybody have any comments about the implications
of the above?

Are there any complexities that I could possibly be not seeing?

-- Dave Campbell
   PHONE AUS  07 3216 6015
   PHONE INTL +61 7 3216 6015

View raw message