httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From KaiGai Kohei <kai...@ak.jp.nec.com>
Subject Re: Introducing mod_privileges for Apache HTTPD
Date Mon, 17 Nov 2008 07:51:15 GMT
Hello, Nick

It seems to me we have similar ideas to enhance web-application
security. I've focused on SELinux to utilize security features
of operating system.

I had a plan to start discussion after my PostgreSQL works are
closed, but, it is a good time to start discussion to utilize
them for web-applications.

I have a modified version of apache/httpd, as a proof of concept.

   http://code.google.com/p/sepgsql/source/browse/misc/httpd-selinux/
   (*) Please copy the "2.2.x" directory as "server/mpm/selinux",
       and append "--with-mpm=selinux"

It enables to invoke request handlers with individual privilege set
based on http-authenticated username, source IP addresses and so on.
The typical flow of operations are as follows:

  1. It receives a HTTP request come from client.

  2. It generates a one-time thread to handle the request.
     The parent side wait for completion of the thread.

  3. The one-time thread assigns itself a proper privilege set
     based on the http-authentication and so on.

  4. It invokes request handlers to process the given request.
     The request handler works within more restricted privileges.
     When it kick PHP scripts or static contents handlers, the
     restricted privileges are inherited.

  5. The one-time thread returns a http response to the client,
     then it dies soon.

  6. The parent wakes up, and returns to (1).

(*) Please note that SELinux disallow to revert privileges,
     because it can be a vulnerability of unexpected escalation.

Your "mod_privileges" is implemented on the "perchild" MPM.
It is suitable to achieve per VirtualHost privileges.
In addition, I think per user/request/network privileges
enforced by operating system is more worthwhile feature.

A security focused MPM is a key facility to enable the idea.
I assume it does not give first priority for performances,
but it enables to resolves some kinds of security nightmares.

How do you think the concept?

Please any comment,

Thanks,

Nick Kew wrote:
> I've just introduced mod_privileges to Apache HTTPD trunk.
> 
> This is a platform-specific module for Solaris 10 and OpenSolaris,
> that makes the webserver privileges(5)-aware.  This enables the
> server to be run with enhanced security, and with different
> settings per virtual host.
> 
> The feature likely to be of most interest is that it enables
> different virtual hosts to run under different Unix user and
> group IDs, using the VHostUser and VHostGroup directives.
> This is the capability once promised by the "perchild" MPM.
> 
> It has one major drawback: it is not suitable for a threaded MPM.
> However, it is ideally suited for use with PHP, which of course
> also precludes threads.  It should also be of interest to anyone
> hosting other in-process scripting environments such as mod_perl,
> mod_python or mod_ruby, or application modules.
> 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/arch/unix/mod_privileges.c 
> 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_privileges.xml 

-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

Mime
View raw message