httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mathieu CARBONNEAUX <i...@ch2o.info>
Subject Re: High security
Date Wed, 07 May 2008 21:33:16 GMT
hi all,

sorry to enter so later in the discution...

i'm ok with you torsten (+1), i think is the good place to do it, think 
adding hook like pre_childinit that occure before unixd_setup_child

remove the root rigth (in child_init you lost the root right juste 
before) can be more generic way. and after use this hook to do 
implemente the chroot option as loadable module.
and i think can be usefull for other module to have chance to use root 
right juste before is removed in child_init...

existe other implementation of chroot in apache and i think many 
interesting hints to use chroot in apache are in the page of mod_chroot: 
http://core.segfault.pl/~hobbit/mod_chroot/caveats.html
i think is interesting to add some of this in the documentation also...

and loadfile of libgcc_s.so.1 is only needed in threaded mpm version.
because the thread lib use some symbole of libgcc_s.so.1 that are 
autoloaded in child when create thread after unixd_setup_child occure...

i've made modified version (at 02/08) of mod_chroot that work like your 
modification (chrooting juste before seting up setuid in the

child) but without modifying apache code and working with ap 2.0 and 2.2...

it work like that, i save the unixd_config.user_id in pre_mpm hook, and 
force it to 0 (root), in that way in child_init root your are root

(unixd_setup_child skip changing user_id)!
like i can do the chroot in child_init hook, and restore 
unixd_config.user_id and redo unixd_setup_child to remove root right.

i think an other modification must be done to be complete... is to 
modify the way DocumentRoot global context cmd check if the path is

directory or not, will be very good, to check document root path in 
chroot directory relative in place of server_root if chroot option is

activated.

without that modification you must have DocumentRoot in the chroot path 
and outside the chroot path like that :
  if chroot dir is /var/chroot and globale document root to 
/var/chroot/www in httpd.conf
  your globale document root point to  /var/chroot/www/var/chroot/www.

with that modification you can set globale document root in the jail 
path without problem...

a work around exist... using documentroot in virtualhost...
in vhost you can  use path in the jail without problem because 
documentroot cmd in the jail are executed
when vhost are checked... far later from the point the chroot occure 
(juste before unixd_setup_child)...

in that way can be possible to set globale DocumentRoot to same dir of 
chroot, and use only vhost to specify Document root directory...

but is not completely transparent because you must set a fake globale 
document root that exist ouside the jail and you are obliged to use

vhost...

in my mod_chroot modification in correcte all path transparantly on the 
fly (in translate hook, and map_to_storage hook) to work around

this (to do it without modification in apache code!)...but is more havy 
modification... and more risky...

Regards,
Mathieu


    ------------------------------------------------------------------------
    *From:* Torsten Foertsch
    *Sent:* Sat, 26 Jan 2008 08:44:17 +0100

    On Fri 25 Jan 2008, Nick Kew wrote:
     > >  A
     > > compromise might be to create a chroot hook and allow module
     > > developers to use it. This would shift the support burden somewhat
     > > from the core Apache team to those willing to engage the users
     > > providing support.
     >
     > Isn't that basically the status quo (mod_security presumably hooks it
     > in at post_config?)

    Sometimes I have missed a ChildPrivilegedInit hook that is run
    between fork()
    and dropping privileges in the worker. That would be the right place to
    chroot() I think.

    Torsten


Mime
View raw message