www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Samuel Liddicott <...@campbellsci.co.uk>
Subject general/4554: More suggestions for user/group flexibility: see 2760 and 1769
Date Thu, 10 Jun 1999 10:02:34 GMT

>Number:         4554
>Category:       general
>Synopsis:       More suggestions for user/group flexibility: see 2760 and 1769
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Thu Jun 10 03:10:00 PDT 1999
>Last-Modified:
>Originator:     sam@campbellsci.co.uk
>Organization:
apache
>Release:        1.3.6
>Environment:
Any
>Description:
See what fhttpd can do (www.fhttpd.org), namely run subservers serving up a limited selection
of the web's under a different UID/GIF (and closing subservers after inactivity timeout).


>How-To-Repeat:

>Fix:
I have some different suggestions here regarding that:
SIMPLE
1a. Or maybe if the UID under which apache is running belongs to MULTIPLE 
groups, the "group" directive could be used to get apache to activate the right group membership.
 Then, if redhat-style individual gid's are used, the users can mark their cgi's as U+sx G+x
O- and be able to run suid's really easily
1b. which also means that MODULES (like mod_php) would be able to access the users g+rw files!
 Almost as good as running under the users UID.
Still needs good security consideration but by no means as dangerous as running as root -
  uid's at risk are ONLY those whose groups the apache user also belongs to.  Thus users keep
security while getting access to private files from modules (mod_pgp, mod_perl) WITHOUT any
hefty apache hacking.

Complicated
2. If httpd renounces root privileges immediatly upon matching the requested URL to some regex,
then surely security problems are minimal:
  [Fork]
  [Accept connection]
  [Read request]
  [Match request]
  [Select new UID and renounce root]
and whatever magic apache uses to re-use children for multiple requests would have to select
the right child.

This would probably restrict mod_rewrite and such from working accross a uid boundry.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <apbugs@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]




Mime
View raw message