httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From KaiGai Kohei <kai...@ak.jp.nec.com>
Subject Re: [RFC] A new hook: invoke_handler and web-application security
Date Wed, 08 Apr 2009 06:58:37 GMT
Nick Kew wrote:
> 
> On 8 Apr 2009, at 03:27, Graham Dumpleton wrote:
> 
> [following up to Graham because two posts by him are all I have
> in this thread]
> 
>> 2009/4/8 KaiGai Kohei <kaigai@ak.jp.nec.com>:
>>> Graham Dumpleton wrote:
>>>> Explain first why using FASTCGI and suexec wouldn't be a better option?
>>>
>>> Thease are limited to cgi applications, so we cannot apply such kind
>>> of restriction on the built-in script languages and references on
>>> static documents (like *.html).
> 
> So why would a selinux context want to limit itself to the handler phase?
> Why not set the security  context first thing in the request processing 
> cycle,
> as with mod_privileges?

It sets its individual privileges a bit earlier phase for my purpose.

I would like to associate a security context of SELinux and web-users
of applications. The identification and authentication are done in
ap_process_request_internal(), so we need to set a security context
between ap_process_request_internal() and ap_invoke_handler().
(In other word, we cannot identify what security context should be
 assigned on the request.)

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

Mime
View raw message