httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lazy <lazy...@gmail.com>
Subject Re: User/group security without CGI (SuEXEC)
Date Mon, 05 May 2008 20:28:03 GMT
2008/5/5 Jille Timmermans <jille@quis.cx>:
> -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1
>
>  Hello hackers!
>
>  I was thinking of creating a more secure environment for running
>  webscripts (mod_php in my case),
>  I want to run php scripts as their owner.
>
>  I tought of the following scheme's:
>  http://junk.quis.cx/fViKmLRi/apache-user-scheme-p1.png
>  http://junk.quis.cx/bPkxwAbI/apache-user-scheme-p2.png
>
>  And an setting:
>  ExecutiveUser %n # This should run php scripts as $script-owner
>  ExecutiveUser www-%n # this should run php scripts as www-$scriptowner
>  ExecutiveGroup www
>  ExecutiveGroup www-%n
>  (%n meaning the script-owners username, and eg %u for the script-owners
> uid)
>
>  This would (eg) enable me to:
>  quis@istud:~# id
>  uid=1000(quis) gid=1000(users) groups=1000(users),10000(www-quis)
>  quis@istud:~# id www-quis
>  uid=10000(www-quis) gid=10000(www-quis) groups=10000(www-quis)
>  quis@istud:~# chown quis:www-quis public_html
>  quis@istud:~# chmod 750 public_html
>
>  So only 'my' apache-runas user can access my scripts.
>
>  How do you think about this idea ?
>  It does decrease the performance a bit (Workers should parse the
>  request, put it in some shm, Executive should pick it up from the shm
>  and really run the php-script (See the links above for the terms Worker
>  and Executive)
>  But if the option is not specified it is possible to do it 'the old way'.
>  Would it be possible to implement this as an MPM, or MOD ?
>  (I don't know enough (yet) of apache to say that.)
>  If that is possible there is no loss when it is disabled.
take a look at peruser (http://www.telana.com/peruser.php)

It supports ssl, keep-alive, chroot and chuid per vhost

in simple configurations it seems to work out of the box with some quirks
1) graceful segfaults (apache continues to work)
2) on machines with multiple processors it hangs badly on gaceful restarts
3) some minor issues with ssl cache

last week, I think I ironed out 1 & 2 graceful's work flawlessly on a
busy webserwer (2xdc opteron) (around 300 diferent users with many
more vhosts).

Sadly support list for peruser seems to be dead and latest patch is
based on 2.2.3.

I fixed 2 race conditions, added limited support for ssl for
NamevirtualHosts and did some minor patches.

All without answer so i guess peruser isn't in active development anymore.

There is still an memory leak to plug, maybe my patches did some wrong
but for now it's not a big headache.

Peruser now for me is quite usable, i have some ideas to improve it. I
will do it anyway because i need it for my work.

Somebody told me to fork it, but will anyone care ?

-- 
Michal Grzedzicki

Mime
View raw message