httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: Introducing mod_privileges for Apache HTTPD
Date Mon, 17 Nov 2008 10:34:47 GMT
On Mon, 17 Nov 2008 16:51:15 +0900
KaiGai Kohei <kaigai@ak.jp.nec.com> wrote:

> Hello, Nick
> 
> It seems to me we have similar ideas to enhance web-application
> security. I've focused on SELinux to utilize security features
> of operating system.
> 
> I had a plan to start discussion after my PostgreSQL works are
> closed, but, it is a good time to start discussion to utilize
> them for web-applications.
> 
> I have a modified version of apache/httpd, as a proof of concept.
> 
>    http://code.google.com/p/sepgsql/source/browse/misc/httpd-selinux/
>    (*) Please copy the "2.2.x" directory as "server/mpm/selinux",
>        and append "--with-mpm=selinux"

At a quick look, our concepts appear to be rather different, even
if our goals have something in common.  What you're doing looks like
it focuses on the handler phase only, so all the earlier parts of
request processing happen as the default user.

> It enables to invoke request handlers with individual privilege set
> based on http-authenticated username, source IP addresses and so on.
> The typical flow of operations are as follows:
> 
>   1. It receives a HTTP request come from client.
> 
>   2. It generates a one-time thread to handle the request.
>      The parent side wait for completion of the thread.
> 
>   3. The one-time thread assigns itself a proper privilege set
>      based on the http-authentication and so on.

Sounds very similar to suexec's security model.

>   4. It invokes request handlers to process the given request.
>      The request handler works within more restricted privileges.
>      When it kick PHP scripts or static contents handlers, the
>      restricted privileges are inherited.
> 
>   5. The one-time thread returns a http response to the client,
>      then it dies soon.
> 
>   6. The parent wakes up, and returns to (1).
> 
> (*) Please note that SELinux disallow to revert privileges,
>      because it can be a vulnerability of unexpected escalation.

As of now, mod_privileges is vulnerable to some forms of attack in
a user application.  That may be similar to what you're avoiding.

> Your "mod_privileges" is implemented on the "perchild" MPM.

No, it's just a module, not a new MPM.  This fits in with a direction
we're trying to take httpd: the simple MPM and mod_unixd are all part
of an effort to move more of the functions of the MPM to standard
modules.

> It is suitable to achieve per VirtualHost privileges.
> In addition, I think per user/request/network privileges
> enforced by operating system is more worthwhile feature.
> 
> A security focused MPM is a key facility to enable the idea.
> I assume it does not give first priority for performances,
> but it enables to resolves some kinds of security nightmares.

Thanks for telling us about your work.  It's certainly interesting
enough that I'll have to find the time for a detailed look, and
see if I can build it on a linux box!

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Mime
View raw message