httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From KaiGai Kohei <kai...@ak.jp.nec.com>
Subject [PATCH] A new mpm: security and mod_selinux (Re: [RFC] A new hook: invoke_handler and web-application security)
Date Mon, 13 Apr 2009 06:57:16 GMT
KaiGai Kohei wrote:
> Stefan Fritsch wrote:
>> On Thursday 09 April 2009, Graham Dumpleton wrote:
>>> Only you would know that. But then, I could be pointing you at the
>>> wrong MPM. There is from memory another by another name developed
>>> outside of ASF which intends to do the same think. The way it is
>>> implemented is probably going to be different and may be the one I
>>> am actually thinking of. I can't remember the name of it right now.
>> Maybe you mean MPM itk, which can change to different users for 
>> different vhosts?
>>
>> http://mpm-itk.sesse.net/
> 
> Thanks for your information.
> 
> It is designed on the prefork. It makes a child process for each
> connection to call ap_process_connection() in separated context,
> and the parent waits for the completion of this.
> In addition, it assigns configured uid/gid on the header_parser hook,
> then contents handlers are invoked.
> 
> It seems to me that we can share its basic idea and design.
> The mpm-itk also has separatable two functionalities:
>  1. it makes a process for each connection.
>  2. it assigns privileges on a process.
> 
> I believe we are now on the right direction.

At first, I planed to implement a new mpm from the scratch, but I
reconsidered it may be a burden for the reviewers, so the attached
patch is implemented as an enhancement of the latest prefork.
(I guess it is a preferable manner.)

The first attached patch adds a new "security" mpm which enables to
launch a new process for each connections, and gives a chance to assign
appropriate privileges for external modules. The newly spawned process
is always one-time purpose, because SELinux does not allow to revert
its privileges.

The second patch is an implementation of the mod_selinux module which
assigns the working process a security context based on authentication
process at the fixups hook, prior to invocations of contents handler.

  Step to apply the patches:
  % svn co http://svn.apache.org/repos/asf/httpd/httpd/trunk httpd-devel
  % cd httpd-devel
  % mkdir -p server/mpm/security
  % cp -f server/mpm/prefork/prefork.c server/mpm/security
  % cp -f server/mpm/prefork/mpm_default.h server/mpm/security
  % cat ~/apache-httpd-security-mpm.1.patch | patch -p1
  % cat ~/apache-httpd-mod_selinux.1.patch | patch -p1

  (*) The attached patch contains only differences from the prefork.

I would like to push this kind of features to the upstreamed httpd
eventually. If you have any suggestion, please feel free to comment.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

Mime
View raw message