httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From KaiGai Kohei <kai...@ak.jp.nec.com>
Subject [PATCH 47021] A new MPM (security) and mod_selinux module
Date Tue, 14 Apr 2009 08:38:41 GMT
I filed an entry on the bugzilla:
  * Bug 47021 - A new MPM (security) and mod_selinux module
  https://issues.apache.org/bugzilla/show_bug.cgi?id=47021

It is the first time for me to submit patches in the community,
please tell me if I had something incorrect manner.

Thanks,

KaiGai Kohei wrote:
> KaiGai Kohei wrote:
>> Stefan Fritsch wrote:
>>> On Thursday 09 April 2009, Graham Dumpleton wrote:
>>>> Only you would know that. But then, I could be pointing you at the
>>>> wrong MPM. There is from memory another by another name developed
>>>> outside of ASF which intends to do the same think. The way it is
>>>> implemented is probably going to be different and may be the one I
>>>> am actually thinking of. I can't remember the name of it right now.
>>> Maybe you mean MPM itk, which can change to different users for 
>>> different vhosts?
>>>
>>> http://mpm-itk.sesse.net/
>> Thanks for your information.
>>
>> It is designed on the prefork. It makes a child process for each
>> connection to call ap_process_connection() in separated context,
>> and the parent waits for the completion of this.
>> In addition, it assigns configured uid/gid on the header_parser hook,
>> then contents handlers are invoked.
>>
>> It seems to me that we can share its basic idea and design.
>> The mpm-itk also has separatable two functionalities:
>>  1. it makes a process for each connection.
>>  2. it assigns privileges on a process.
>>
>> I believe we are now on the right direction.
> 
> At first, I planed to implement a new mpm from the scratch, but I
> reconsidered it may be a burden for the reviewers, so the attached
> patch is implemented as an enhancement of the latest prefork.
> (I guess it is a preferable manner.)
> 
> The first attached patch adds a new "security" mpm which enables to
> launch a new process for each connections, and gives a chance to assign
> appropriate privileges for external modules. The newly spawned process
> is always one-time purpose, because SELinux does not allow to revert
> its privileges.
> 
> The second patch is an implementation of the mod_selinux module which
> assigns the working process a security context based on authentication
> process at the fixups hook, prior to invocations of contents handler.
> 
>   Step to apply the patches:
>   % svn co http://svn.apache.org/repos/asf/httpd/httpd/trunk httpd-devel
>   % cd httpd-devel
>   % mkdir -p server/mpm/security
>   % cp -f server/mpm/prefork/prefork.c server/mpm/security
>   % cp -f server/mpm/prefork/mpm_default.h server/mpm/security
>   % cat ~/apache-httpd-security-mpm.1.patch | patch -p1
>   % cat ~/apache-httpd-mod_selinux.1.patch | patch -p1
> 
>   (*) The attached patch contains only differences from the prefork.
> 
> I would like to push this kind of features to the upstreamed httpd
> eventually. If you have any suggestion, please feel free to comment.
> 
> Thanks,
> 


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

Mime
View raw message