httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Dumpleton <graham.dumple...@gmail.com>
Subject Re: [RFC] A new hook: invoke_handler and web-application security
Date Thu, 09 Apr 2009 05:59:38 GMT
2009/4/9 KaiGai Kohei <kaigai@ak.jp.nec.com>:
> William A. Rowe, Jr. wrote:
>> KaiGai Kohei wrote:
>>> However, SElinux does not allow to revert its privilege (security context)
>>> unconditionally, even if it is dynamically changed.
>>> If we want to revert it, the security policy has to allow B->A in addition
>>> to A->B, but it is generally nonsense.
>>> It is also the reason why we need a one-time thread or process to assign
>>> individual privileges for each requests.
>>
>> Sounds like it's time for you to hack up an alternate, selinux based mpm.
>
> I also think a selinux based (or possible for other secure os) mpm
> is a reasonable candidate.
>
> Due to the above limitation, this mpm need to create a process or
> thread for each requests, and not to allow keep-alive mode.
>
> If the approach can be acceptable, I will switch to develop the new
> mpm approach.

Which gets back to the old perchild MPM perhaps being in part
relevant. The difference is that you need a more dynamic system
whereby which specific user process is used might be based on URL or
authentication credentials as well as host. Another aspect worth
consideration is a means to dynamically create additional processes
for new users, rather than everything being static, with an idle
timeout mechanism to shutdown user processes which haven't had to
handle requests for some amount of time. This approach obviously need
not even involve SELinux specifically as separation achieved at
process
level.

FWIW, this dynamic user process creation is something which is being
implemented in Apache module I develop. That though is being done at
higher level and only applies to the web applications written in the
specific scripting language that the module supports, and isn't a
generic mechanism applicable to all Apache modules.

Graham

Mime
View raw message