httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Dumpleton <graham.dumple...@gmail.com>
Subject Re: [RFC] A new hook: invoke_handler and web-application security
Date Wed, 08 Apr 2009 01:46:26 GMT
Explain first why using FASTCGI and suexec wouldn't be a better option?

It concerns me that in your plans, even though you are changing the
security context of a single thread within an existing process, that
that thread may still has access to all the process memory and so
could read or modify memory in use by threads running in a different
security context. I am assuming here that SELinux cannot prevent that
happening.

Graham

2009/4/8 KaiGai Kohei <kaigai@ak.jp.nec.com>:
> Hello,
>
> I've posted my idea to improve web-application security a few times
> however, it could not interest folks unfortunatelly. :(
> So, I would like to offer another approach for the purpose.
> The attached patch is a proof of the concept of newer idea.
> Any comments are welcome, and please feel free.
>
>
> The attached patch adds the following hook:
>  AP_DECLARE_HOOK(int,invoke_handler,(request_rec *r))
>
> The server/core.c registers the ap_invoke_handler() as a default
> fallback, and all the ap_invoke_handler() invocations are replaced
> by ap_run_invoke_handler(), so we don't have any compatibility
> issue as far as no modules uses the new hooks.
>
> The purpose of this new hooks is to give modules a chance to assign
> an appropriate privilege set before contents handler launched.
>
> The mod_selinux.c is a typical example.
> It acquires a control via the invoke_handler hook whenever someone
> tries to invoke contents handler, then it compute what privilege
> (called as security context) should be assigned during the contents
> handler execution. If the computed privilege is same as the current
> one, it just returns DECLINES. But, if the computed one is different
> from the current, it creates a one-time worker thread and wait for
> its completion. The worker thread set a new privilege on itself and
> invokes ap_invoke_handler() with restricted privilege.
>
> In the previous design proposal, I added hooks just before
> ap_process_(async_)request(), but I noticed it cannot handle a case
> of internal redirection.
>
> BTW, Please note that the purpose of our efforts is to launch web
> applications with individual privilege set, not to add new hooks.
> Now I think the idea is the shortest distance to the goal, but
> is there any other ideas? If you have anything, I would like to
> see it.
>
> Thanks,
> --
> OSS Platform Development Division, NEC
> KaiGai Kohei <kaigai@ak.jp.nec.com>
>

Mime
View raw message