httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <matthew.fi...@yahoo.com>
Subject Re: [users@httpd] Dynamic Mass Virtual Hosting with Secure Dynamic Content is impossible?
Date Sat, 29 Jul 2006 01:09:46 GMT
Thanks for the attention Joshua...
 
  Yes Ive read the other discussions (I think). I guess I assumed right then, Im stuck without
changes to the source code? suexec cant work with mod_vhost_alias?
 
  Regarding the UID mapping, all it would have to do would be suexec as the owner of the file.
I wonder if that would really be insecure or inflexible afterall. Are users able to chown
files to other users?
 
  Editing the source myself is a possible option, as is hiring a programmer, but the solution
needs to be maintainable and if it didn't make it into httpd core it would not be a plausible
solution.
 
  If I elevate this to the dev team it would be in an effort to recruit someone who could
moonlight the necessary modification and commit it to the tree. If it can't be done securely
this probably is not an option.
 
Matt


----- Original Message ----
From: Joshua Slive <joshua@slive.ca>
To: users@httpd.apache.org
Sent: Friday, July 28, 2006 8:30:24 PM
Subject: Re: [users@httpd] Dynamic Mass Virtual Hosting with Secure Dynamic Content is impossible?


On 7/28/06, Matthew Fisch <matthew.fisch@yahoo.com> wrote:
>
>
>   I'm currently consulting for a customer running 20,000 customers/domains
> on a few dozen zeus webservers sharing an nfs nas. The support contract with
> zeus has lapsed and I am comparing my options for moving over to apache in
> leu of renewing.
>   A basic requirement of any webserver for this cluster is secure dynamic
> mass virtual hosting.
>
>   mod_vhost_alias OR mod_rewrite seems to give me the ability to serve up
> pages from the nfs nas ie
> /var/www/virtual/d/r/dreamway.com/docs . This is basic mass
> virtual hosting.
>   This works great for static content, but breaks down when customers want
> to run CGI/PHP, now we need suexec (or something) to make this secure.
> Unfortunately suexec is defined at the <VirtualHost> level and I see no way
> to incorporate it into a mass virtual hosting setup. I assume this is
> because suexec has no method of mapping domains to uids.
>   Way back in apache 1.3 there was a third party addon mod_cgiwrap that did
> something like this (its now defunct).... and in apache 2.0 there was a
> partly written MPM 'perchild' that might have helped too .. which brings me
> to (less important) point # 2.
>   Zeus has a 'perchild' type feature where the thread that serves up the
> client pages (the whole server) AND the CGI's SU to the user's uid. In
> addition to making CGI's secure, this also lets people 'own' their own
> content away from prying eyes of other users with access to the apache
> group.
>
>   Does this functionality exist in apache and I just cant see it? Is there a
> better place to ask? Let me know, I'll be elevating this to the dev list
> shortly.

It would be relatively straightforward to hack suexec to launch cgi
scripts with a different set of rules.  Of course, you'd need to be
very careful to make it secure (see all the warnings in the docs and
source code).  But if you have 20000 domains, you should be able to
afford to hire a decent programmer.  This is not something that would
make it into the main apache httpd, because it would be impossible to
do it in a flexible and secure way.  Luckily, for one site, you don't
need flexibility.

With regard to serving 20000 hosts entirely under their own userids, I
have never seen anything that could do that without severe sacrifices.
Perchild and similar mpms keep a pool of processes/threads for each
userid, which wouldn't work at that scale.  The other secure
alternative is to launch a new process for each request, but that is
obviously horrible performance-wise.  I don't know anything about
zeus, but I suspect that they have made a major compromise either in
performance or security to accomplish this.

With regard to "elevating" this to the dev list, feel free.  But make
sure you've searched the archives of this list and the dev list for
the dozens of other times this has been discussed.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Mime
View raw message