httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <>
Subject Re: [RFC] A new hook: invoke_handler and web-application security
Date Wed, 08 Apr 2009 08:29:11 GMT
On Wed, Apr 08, 2009 at 09:09:14AM +0100, Nick Kew wrote:
> On 8 Apr 2009, at 08:32, Joe Orton wrote:
>> So I'm not sure that it's worthwhile.  Having said that, it seems a 
>> lot more worthwhile than the mod_privileges approach in the trunk, 
>> which seems to claim it is secure so long as you don't execute 
>> untrusted code, so I'm not sure what threat model that addresses at 
>> all.
> That's untrusted, privileges-aware code.

"This stab-proof vest protects you from being stabbed by all attackers 
who are not holding a knife"

> Use case: mod_php, whose safe_mode prevents loading such code.

safe_mode is security theatre, it's not a reliable sandboxing mechanism, 
and is being removed in PHP6, thank goodness.  The point is: if you are 
interpreting PHP code in-process, from a security standpoint you must 
consider it equivalent to running arbitrary executable code.  Arbitrary 
executable code can, so far as I can tell, revert whatever changes 
mod_privileges made to the process' privileges - is that not correct?

Regards, Joe

View raw message