Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 242CCC1A7 for ; Mon, 6 Aug 2012 20:07:36 +0000 (UTC) Received: (qmail 16444 invoked by uid 500); 6 Aug 2012 20:07:35 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 16337 invoked by uid 500); 6 Aug 2012 20:07:35 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 16329 invoked by uid 99); 6 Aug 2012 20:07:35 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Aug 2012 20:07:35 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [72.167.82.86] (HELO p3plsmtpa01-06.prod.phx3.secureserver.net) (72.167.82.86) by apache.org (qpsmtpd/0.29) with SMTP; Mon, 06 Aug 2012 20:07:27 +0000 Received: (qmail 15098 invoked from network); 6 Aug 2012 20:07:05 -0000 Received: from unknown (76.252.112.72) by p3plsmtpa01-06.prod.phx3.secureserver.net (72.167.82.86) with ESMTP; 06 Aug 2012 20:07:04 -0000 Message-ID: <502023E9.4020506@rowe-clan.net> Date: Mon, 06 Aug 2012 13:07:05 -0700 From: "William A. Rowe Jr." User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: dev@httpd.apache.org CC: "Steinar H. Gunderson" Subject: Re: mpm-itk and upstream Apache, once again References: <20120719153831.GA5633@samfundet.no> <20120805150051.GA27712@uio.no> <20120805153204.GA13772@uio.no> In-Reply-To: <20120805153204.GA13772@uio.no> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 8/5/2012 8:32 AM, Steinar H. Gunderson wrote: > On Sun, Aug 05, 2012 at 11:05:59AM -0400, Jeff Trawick wrote: >> Great! I'll do something about the remaining patch "before long". > > When the time comes, do we have any hopes of getting this back from trunk to > 2.4, or would it need to wait for 2.6/3.0? > > FWIW, the mpm-itk security hardening that was discussed (running with uid != 0, > and limiting setuid/setgid ranges through seccomp) is starting to come quite > nicely along, although the problem of initgroups() remains (a rogue process > with CAP_SETGID can add any supplementary group it pleases, and seccomp is > unable to check it), and there's been very limited user testing so far. > I guess we can't get fully down to the level of prefork, but it can get > pretty close. Steinar, I solved a very similar problem by spinning off a low-numbered port daemon which accesses resources (in this case, port 21 or similar) and returns the fd to the caller after it evaluates whether that request is permitted by the configuration parsed when it was launched. The solution might give you some ideas on how this mpm could have very limited root privileges with very specific purposes, and not at risk from any remote code execution flaws discovered in the future; http://svn.apache.org/repos/asf/httpd/mod_ftp/trunk/modules/ftp/ftp_lowportd.c Hope it inspires some interesting improvements :) Bill