httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Dumpleton <graham.dumple...@gmail.com>
Subject Re: [RFC] A new hook: invoke_handler and web-application security
Date Wed, 08 Apr 2009 07:35:12 GMT
2009/4/8 KaiGai Kohei <kaigai@ak.jp.nec.com>:
> Graham Dumpleton wrote:
>> 2009/4/8 KaiGai Kohei <kaigai@ak.jp.nec.com>:
>>> KaiGai Kohei wrote:
>>>> Graham Dumpleton wrote:
>>>>> 2009/4/8 KaiGai Kohei <kaigai@ak.jp.nec.com>:
>>>>>> Graham Dumpleton wrote:
>>>>>>> Explain first why using FASTCGI and suexec wouldn't be a better
option?
>>>>>> Thease are limited to cgi applications, so we cannot apply such kind
>>>>>> of restriction on the built-in script languages and references on
>>>>>> static documents (like *.html).
>>>>> FASTCGI is not restricted to CGI applications. At least in the sense
>>>>> that FASTCGI allows persistent processes rather than one off processes
>>>>> like CGI. FASTCGI bindings are available for many different languages,
>>>>> including scripting languages, so what 'built-in script languages' are
>>>>> you talking about? The suexec mechanism comes into play as it allows
>>>>> FASTCGI processes to run as a different user than Apache process.
>>>> Hmm... I'll try to search for more details of features of FastCGI.
>>>>
>>>> If you have a hint, could you tell for the questions currently I have?
>>>> IIRC, the CGI version of PHP cannot handle applications which write
>>>> out special HTTP headers, such as WWW-Authenticate: or Location:.
>>>> Is it possible to handle correctly in FastCGI?
>>>> I could not find FastCGI support for WebDav. Is it possible to control
>>>> accesses on files using SELinux?
>>> Hmm... It seems to me FastCGI has same limitation.
>>> The online document introduces that an authenticator program can
>>> be performed to handle authentication phase, but it may require
>>> web applications to be modified.
>>>  http://fastcgi.coremail.cn/configuration.htm#Authenticator
>>>
>>> If we don't hesitate to create a new process for each requests,
>>> I have one another idea which does not require new hooks.
>>> In the traditional client-server model, the server process forks
>>> a child process to handle a request come from clients.
>>> If we have such kind of MPM module, a security module can set
>>> an individual privilege at the head of ap_run_handler hook.
>>>
>>> Needless to say, it has performance tradeoff, but we assume users
>>> don't give the highest priority on the performance.
>>
>> See experimental MPM from Apache 2.0.
>>
>>   http://httpd.apache.org/docs/2.0/mod/perchild.html
>>
>> Didn't get carried through to later Apache versions.
>
> If I can understand correctly, the perchild mpm assigns individual
> userid per virtual host, so it means all the requests handled by
> a certain virtual host shares same privilege set.
> The purpose of my efforts is to set individual privileges for each
> web users of the given request.
>
> Thanks for your information, but it is not suitable for us...

Rather than you say what changes you think need to be done at low
level that you actually explain better at a high level what you are
trying to do. It is really hard to respond to you when we have no real
idea of the outcome you are trying to achieve.

Specifically, what Apache modules are you trying to use that you
specifically want requests to be handled as separate users. You
mentioned 'built in scripting languages' before, but when I asked you
what scripting languages, you didn't answer. As I have already pointed
out, if you are trying to provide scripting language support for
writing Python web applications then FASTCGI can be used, but then you
have dismissed that based on authentication reasons but not really
explaining what the problem is.

Graham

Mime
View raw message