httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Clark <mich...@metaparadigm.com>
Subject [RFC] Apache Privilege Separation
Date Thu, 28 Jul 2005 15:51:38 GMT
Hi Folks,

We've been doing some work on privilege separation with Apache 1.3
and thought we'd share it with folk here. Not expecting this work
to be integrated (as it relies on external mod_dav module), although it
could serve as some groundwork for something similar in Apache 2.1

  http://oss.metaparadigm.com/apache-privsep/

The Apache Privilege Separation patch addresses the problem of an
Apache DAV server only being able to write files as the apache user
(usually something like 'nobody' or 'www') and it does so in a very
secure way.

It can be used for instance to allow DAV access to ~user directories.

In Privilege Separation mode Apache continues to run as an unprivileged
user although one additional especially secure process runs as 'root'.

The 'root' privileged separated process communicates with the main
apache process via unix sockets and performs only two purposes.

  Responds to PAM authentication requests (pam_unix authentication is not
  normally possible due to the unprivileged apache process not being
  able to access shadow passwords, but due to the privilege separated
  design this is now possible and secure). Authentication responses include
  a cryptographic cookie which encodes the users credentials and is used in
  successive privileged filesystem requests made to the privsep process.

  Performs privileged filesystem operations on behalf of the unprivileged
  apache process as the privileges of the authenticated user. The crypto
  cookie is verified and then the effective userid is set and the file
  operation is performed. Certain auditable points in the apache and mod_dav
  code have been changed to use the privsep calls which communicate via unix
  sockets (priv_open, priv_unlink, priv_rmdir, etc...). File descriptors
  are passed back over unix sockets for open calls.

Feedback much appreciated.

Regards,
Michael Clark.

Mime
View raw message