httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: PHP and other security problems - a solution idea
Date Mon, 22 Apr 2002 14:22:06 GMT
vogt@hansenet.com wrote:

> Idea: On handling a file, setuid() to owner of file. On closing connection,
> re-engage original uid (nobody, apache, www-data, whatever it is). PHP will
> run under user's UID, other users are save.
> 
> This would be maybe 10 lines of code. It can't be that easy, can it? What am
> I missing?

Unfortuantely, it can't be that easy.  Two big problems:

1. In order to do the setuid, the server would need to be running as 
root during the request processing phase.  Any bug in Apache request 
processing would then open an instant root hole.

2. If you setuid in such a way that you can get back to the original 
root id, then there is no way to prevent your cgi/php script from also 
getting back to the original root id.  In other words, to do this 
safely, you need to completely give up the original privelges.  Then 
the process would need to die after serving the request.  This would 
make for an incredibly slow server.

As has been mentioned, the perchild MPM may eventually help you do 
something similar.  If you have enough resources, you can get a similar 
effect now by just running separate copies of apache for each user.  If 
they have independent IP addresses, then you just bind each to its own 
address.  If they share the same IP address, then you can run each on 
its own port, and use a proxy on port 80 to forward requests to the 
appropriate port.  This configuration has always been possible, but it 
is more feasible in Apache 2.0, because the threaded MPMs scale quite a 
bit better, so you should be able to run many copies of Apache without 
killing the server.

Joshua.


Mime
View raw message