Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 31905 invoked from network); 11 May 2009 21:34:39 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 11 May 2009 21:34:39 -0000 Received: (qmail 81506 invoked by uid 500); 11 May 2009 21:34:38 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 81430 invoked by uid 500); 11 May 2009 21:34:37 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 81421 invoked by uid 99); 11 May 2009 21:34:37 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 May 2009 21:34:37 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of trawick@gmail.com designates 72.14.220.154 as permitted sender) Received: from [72.14.220.154] (HELO fg-out-1718.google.com) (72.14.220.154) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 May 2009 21:34:29 +0000 Received: by fg-out-1718.google.com with SMTP id d23so660025fga.17 for ; Mon, 11 May 2009 14:34:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=qad3akAjSKVZyz5oNvB7fxmSxnBUJReMH55jkzOV+uY=; b=NwoQccYwLjiPfelNCPNimKkJb115sSVkkSTKuborwH3/ZiNOTbyUPaTecgcZpB9Hpx /TbZzWiAEGYPHw1iSYRv3P4v+FGPSvqBBpJynBCv6+OJGFaqTtAh/wqD51Kw1uJnS6pB tqoecozdraUcuhElpzppxwW1RR9iuITsbFvt0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=LmBiZg3W7UELg7IGlr2AZ6jfKbutPn9Obb5M39FVU6JVHamFf6k9No8WfwYLNquxJV LqY1TlW9lGlO7mS6xV5Uxa2vJYeC42qyWDmO9bDvsyHFZWODfTc57CmFCMOkyD/3mmOH tM1a3A/UGu1HXSdjzpb3mcW/Dxazxq+U5Y/Bw= MIME-Version: 1.0 Received: by 10.86.68.1 with SMTP id q1mr6988618fga.34.1242077647528; Mon, 11 May 2009 14:34:07 -0700 (PDT) In-Reply-To: <20090511202621.GA5860@redhat.com> References: <20090511202621.GA5860@redhat.com> Date: Mon, 11 May 2009 17:34:07 -0400 Message-ID: Subject: Re: [mod_fcgid PATCH] don't try to change ownership of socket directory unless running as root From: Jeff Trawick To: dev@httpd.apache.org Content-Type: multipart/alternative; boundary=000e0cd24968f6e52b0469a9bcc9 X-Virus-Checked: Checked by ClamAV on apache.org --000e0cd24968f6e52b0469a9bcc9 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On Mon, May 11, 2009 at 4:26 PM, Joe Orton wrote: > On Mon, May 11, 2009 at 11:56:42AM -0400, Jeff Trawick wrote: > > Currently, starting httpd as non-root with mod_fcgid loaded fails unless > > User/Group are set to the active User/Group. Normally, httpd modules > don't > > try to set ownership of objects to the specified User/Group unless > starting > > as root. Thus, httpd.conf can contain reasonable User/Group settings for > > production use but still be suitable for use by Joe User. > > The affected code in fcgid_pm_unix.c is from the original revision ( > > > http://svn.apache.org/viewvc/httpd/mod_fcgid/trunk/mod_fcgid/arch/unix/fcgid_pm_unix.c?revision=753487&view=markup > > ). > > > > Logic was added a couple of years ago ( > > http://svn.apache.org/viewvc?view=rev&revision=753553) to bypass the > > directory creation/chown if the directory already existed and had the > > correct ownership, to allow use with some SELinux policy. > > > > Comments/concerns? > > I bumped into problems with this when I tried the Fedora package of > mod_fcgid recently, but got scared off when I started reading the code. > > It seems that there's a lot to understand ;) The only requirement on the directory is that root can create > sockets in the directory, and the less-privileged user can open those > sockets, right? Close. The startup user (root) creates the directory and sets permissions to 0700. The child user (e.g., webservd) creates the sockets and connects to them. (A pipe is used for communication as well. I think there's a unix socket per application instance.) --000e0cd24968f6e52b0469a9bcc9 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On Mon, May 11, 2009 at 4:26 PM, Joe Orton <jorton@redhat.com= > wrote:
On Mon, May 11, 2009 at 11:56:42AM -0400,= Jeff Trawick wrote:
> Currently, starting httpd as non-root with mod_fcgid loaded fails unle= ss
> User/Group are set to the active User/Group. =A0Normally, httpd module= s don't
> try to set ownership of objects to the specified User/Group unless sta= rting
> as root. =A0Thus, httpd.conf can contain reasonable User/Group setting= s for
> production use but still be suitable for use by Joe User.
> The affected code in fcgid_pm_unix.c is from the original revision ( > http://svn.apache.org/viewvc/httpd/mod_fcgid/trunk/mod_fcgid/arch/u= nix/fcgid_pm_unix.c?revision=3D753487&view=3Dmarkup
> ).
>
> Logic was added a couple of years ago (
> http://svn.apache.org/viewvc?view=3Drev&revision= =3D753553) to bypass the
> directory creation/chown if the directory already existed and had the<= br> > correct ownership, to allow use with some SELinux policy.
>
> Comments/concerns?

I bumped into problems with this when I tried the Fedora packag= e of
mod_fcgid recently, but got scared off when I started reading the code.


It seems that there's a lot to understand ;)<= br>
The = only requirement on the directory is that root can create
sockets in the directory, and the less-privileged user can open those
sockets, right?

Close.=A0 The startup user (root) crea= tes the directory and sets permissions to 0700.=A0 The child user (e.g., we= bservd) creates the sockets and connects to them.=A0 (A pipe is used for co= mmunication as well.=A0 I think there's a unix socket per application i= nstance.)

--000e0cd24968f6e52b0469a9bcc9--