httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From KaiGai Kohei <kai...@ak.jp.nec.com>
Subject Re: [RFC] A new hook: invoke_handler and web-application security
Date Thu, 09 Apr 2009 06:24:26 GMT
Graham Dumpleton wrote:
> 2009/4/9 KaiGai Kohei <kaigai@ak.jp.nec.com>:
>> William A. Rowe, Jr. wrote:
>>> KaiGai Kohei wrote:
>>>> However, SElinux does not allow to revert its privilege (security context)
>>>> unconditionally, even if it is dynamically changed.
>>>> If we want to revert it, the security policy has to allow B->A in addition
>>>> to A->B, but it is generally nonsense.
>>>> It is also the reason why we need a one-time thread or process to assign
>>>> individual privileges for each requests.
>>> Sounds like it's time for you to hack up an alternate, selinux based mpm.
>> I also think a selinux based (or possible for other secure os) mpm
>> is a reasonable candidate.
>>
>> Due to the above limitation, this mpm need to create a process or
>> thread for each requests, and not to allow keep-alive mode.
>>
>> If the approach can be acceptable, I will switch to develop the new
>> mpm approach.
> 
> Which gets back to the old perchild MPM perhaps being in part
> relevant. The difference is that you need a more dynamic system
> whereby which specific user process is used might be based on URL or
> authentication credentials as well as host. Another aspect worth
> consideration is a means to dynamically create additional processes
> for new users, rather than everything being static, with an idle
> timeout mechanism to shutdown user processes which haven't had to
> handle requests for some amount of time. This approach obviously need
> not even involve SELinux specifically as separation achieved at
> process
> level.

I also think the mpm is not necessary to focus on SELinux.
If it just create a one-time thread or process for each request,
an pluggable module can set privileges of the execution context.
It gives a chance for users to assign SELinux's privileges.
In addition, someone may choose other operating system.

> FWIW, this dynamic user process creation is something which is being
> implemented in Apache module I develop. That though is being done at
> higher level and only applies to the web applications written in the
> specific scripting language that the module supports, and isn't a
> generic mechanism applicable to all Apache modules.

Hmm... what I would like to achieve is a bit different.

The reason why I would like to set privilege prior to the invocation
of contents handler is to apply consistent access controls independent
from what kind of script languages are used.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

Mime
View raw message