httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject RE: suexec - false sense of security
Date Thu, 17 Jan 2002 21:56:56 GMT

> From: John Lange [mailto:lists@darkcore.net]

>
> I've seen mentioned on several security related web sites that if you are
> running Apache in a multi-user environment, it should always be built with
> the suexec mechanism enabled to prevent users executing scripts with the
> privileges of the web user.
>
> However suexec as a security mechanism is now outdated since it ONLY
> applies to cgi-scripts and nothing else. Being as PHP and other engines
> are now extremely popular, suexec is quite useless.

That is a faulty argument.  While it is true that suexec won't help for
apache modules, there are still MANY people using cgi scripting that are
helped by suexec.

>
> It seems to me that there is a far better method of implementing this type
> of security strategy. Is it not possible to have apache drop to the user
> and group specified in the Virtual Hosts directive when performing ANY and
> ALL operations related to that virtual host? I'm amazed it doesn't work
> this way now though I admit I have little understanding of the
> complexities of this issue.

This suggestion comes up every couple months.  It will not work for a couple
reasons:

1. In order to switch privileges, apache would need to do request processing
as root.  Any bug in the request processing phase could then be a root hole.

2. Once the privileges are dropped, you can't get them back.  Therefore each
process would be able to serve only a single request before dying.  That
would kill performance.  Depending on the setup, it could also make the
server incapable of handling keep-alive requests.

> This would solve a multitude of other issues our users have with
> permissions and security. Is there any possible way of implementing this
> now? Does Apache 2.x support this?

There is a "perchild mpm" under development for Apache 2.  It handles the
problem by keeping a pool of processes available under a number of different
userids and then passing off requests to the correct process.  This will be
slower than the standard MPMs, but far better than your suggestion.

However, the perchild mpm is not yet operational, and I have no idea when it
will be ready.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message