httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jille <ji...@quis.cx>
Subject Re: User/group security without CGI (SuEXEC)
Date Thu, 08 May 2008 17:17:55 GMT
Lazy wrote:
> 2008/5/5 Jille Timmermans <jille@quis.cx>:
>> -----BEGIN PGP SIGNED MESSAGE-----
>>  Hash: SHA1
>>
>>  Hello hackers!
>>
>>  I was thinking of creating a more secure environment for running
>>  webscripts (mod_php in my case),
>>  I want to run php scripts as their owner.
>>
>>  I tought of the following scheme's:
>>  http://junk.quis.cx/fViKmLRi/apache-user-scheme-p1.png
>>  http://junk.quis.cx/bPkxwAbI/apache-user-scheme-p2.png
>>
>>  And an setting:
>>  ExecutiveUser %n # This should run php scripts as $script-owner
>>  ExecutiveUser www-%n # this should run php scripts as www-$scriptowner
>>  ExecutiveGroup www
>>  ExecutiveGroup www-%n
>>  (%n meaning the script-owners username, and eg %u for the script-owners
>> uid)
>>
>>  This would (eg) enable me to:
>>  quis@istud:~# id
>>  uid=1000(quis) gid=1000(users) groups=1000(users),10000(www-quis)
>>  quis@istud:~# id www-quis
>>  uid=10000(www-quis) gid=10000(www-quis) groups=10000(www-quis)
>>  quis@istud:~# chown quis:www-quis public_html
>>  quis@istud:~# chmod 750 public_html
>>
>>  So only 'my' apache-runas user can access my scripts.
>>
>>  How do you think about this idea ?
>>  It does decrease the performance a bit (Workers should parse the
>>  request, put it in some shm, Executive should pick it up from the shm
>>  and really run the php-script (See the links above for the terms Worker
>>  and Executive)
>>  But if the option is not specified it is possible to do it 'the old way'.
>>  Would it be possible to implement this as an MPM, or MOD ?
>>  (I don't know enough (yet) of apache to say that.)
>>  If that is possible there is no loss when it is disabled.
> take a look at peruser (http://www.telana.com/peruser.php)
> 
> It supports ssl, keep-alive, chroot and chuid per vhost
> 
> in simple configurations it seems to work out of the box with some quirks
> 1) graceful segfaults (apache continues to work)
> 2) on machines with multiple processors it hangs badly on gaceful restarts
> 3) some minor issues with ssl cache
> 
> last week, I think I ironed out 1 & 2 graceful's work flawlessly on a
> busy webserwer (2xdc opteron) (around 300 diferent users with many
> more vhosts).
> 
> Sadly support list for peruser seems to be dead and latest patch is
> based on 2.2.3.
> 
> I fixed 2 race conditions, added limited support for ssl for
> NamevirtualHosts and did some minor patches.
> 
> All without answer so i guess peruser isn't in active development anymore.
> 
> There is still an memory leak to plug, maybe my patches did some wrong
> but for now it's not a big headache.
> 
> Peruser now for me is quite usable, i have some ideas to improve it. I
> will do it anyway because i need it for my work.
> 
> Somebody told me to fork it, but will anyone care ?
I would really like to run it myself,
and I know a few others who would also like it.

I am willing to help you, however I don't know how.
My C skills are not that good, so I can't do it on my own.
I might be able to kill bugs if apache crashes and I can get a backtrace.
I can help you test it on FreeBSD, (FreeBSD jails are quite useful for 
testing).

I think peruser would be a nice feature for apache, it would be a shame 
if it got abandoned.

-- Jille

Mime
View raw message