httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: mpm-itk and upstream Apache, once again
Date Mon, 06 Aug 2012 20:07:05 GMT
On 8/5/2012 8:32 AM, Steinar H. Gunderson wrote:
> On Sun, Aug 05, 2012 at 11:05:59AM -0400, Jeff Trawick wrote:
>> Great!  I'll do something about the remaining patch "before long".
> 
> When the time comes, do we have any hopes of getting this back from trunk to
> 2.4, or would it need to wait for 2.6/3.0?
> 
> FWIW, the mpm-itk security hardening that was discussed (running with uid != 0,
> and limiting setuid/setgid ranges through seccomp) is starting to come quite
> nicely along, although the problem of initgroups() remains (a rogue process
> with CAP_SETGID can add any supplementary group it pleases, and seccomp is
> unable to check it), and there's been very limited user testing so far.
> I guess we can't get fully down to the level of prefork, but it can get
> pretty close.

Steinar,

I solved a very similar problem by spinning off a low-numbered port daemon
which accesses resources (in this case, port 21 or similar) and returns the
fd to the caller after it evaluates whether that request is permitted by the
configuration parsed when it was launched.

The solution might give you some ideas on how this mpm could have very limited
root privileges with very specific purposes, and not at risk from any remote
code execution flaws discovered in the future;
http://svn.apache.org/repos/asf/httpd/mod_ftp/trunk/modules/ftp/ftp_lowportd.c

Hope it inspires some interesting improvements :)

Bill

Mime
View raw message