Mailing List Archive

> From: John Lange [mailto:lists@darkcore.net]

>
> I've seen mentioned on several security related web sites that if you are
> running Apache in a multi-user environment, it should always be built with
> the suexec mechanism enabled to prevent users executing scripts with the
> privileges of the web user.
>
> However suexec as a security mechanism is now outdated since it ONLY
> applies to cgi-scripts and nothing else. Being as PHP and other engines
> are now extremely popular, suexec is quite useless.

That is a faulty argument. While it is true that suexec won't help for
apache modules, there are still MANY people using cgi scripting that are
helped by suexec.

>
> It seems to me that there is a far better method of implementing this type
> of security strategy. Is it not possible to have apache drop to the user
> and group specified in the Virtual Hosts directive when performing ANY and
> ALL operations related to that virtual host? I'm amazed it doesn't work
> this way now though I admit I have little understanding of the
> complexities of this issue.

This suggestion comes up every couple months. It will not work for a couple
reasons:

1. In order to switch privileges, apache would need to do request processing
as root. Any bug in the request processing phase could then be a root hole.

2. Once the privileges are dropped, you can't get them back. Therefore each
process would be able to serve only a single request before dying. That
would kill performance. Depending on the setup, it could also make the
server incapable of handling keep-alive requests.

> This would solve a multitude of other issues our users have with
> permissions and security. Is there any possible way of implementing this
> now? Does Apache 2.x support this?

There is a "perchild mpm" under development for Apache 2. It handles the
problem by keeping a pool of processes available under a number of different
userids and then passing off requests to the correct process. This will be
slower than the standard MPMs, but far better than your suggestion.

However, the perchild mpm is not yet operational, and I have no idea when it
will be ready.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

> It seems to me that there is a far better method of implementing this type
> of security strategy. Is it not possible to have apache drop to the user
> and group specified in the Virtual Hosts directive when performing ANY and
> ALL operations related to that virtual host? I'm amazed it doesn't work
> this way now though I admit I have little understanding of the
> complexities of this issue.

With 1.3, to be able to change the UID for every request, Apache would need to be
running as root and that would be a huge security risk.

> This would solve a multitude of other issues our users have with
> permissions and security. Is there any possible way of implementing this
> now? Does Apache 2.x support this?

Check the perchild MPM documentation

Daniel

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

On Thu, 17 Jan 2002, Joshua Slive wrote:

>
> > From: John Lange [mailto:lists@darkcore.net]
>
> >
> > I've seen mentioned on several security related web sites that if you are
> > running Apache in a multi-user environment, it should always be built with
> > the suexec mechanism enabled to prevent users executing scripts with the
> > privileges of the web user.
> >
> > However suexec as a security mechanism is now outdated since it ONLY
> > applies to cgi-scripts and nothing else. Being as PHP and other engines
> > are now extremely popular, suexec is quite useless.
>
> That is a faulty argument. While it is true that suexec won't help for
> apache modules, there are still MANY people using cgi scripting that are
> helped by suexec.

Well "useless" might be a bit strong. But lets just say with the now wide
popularity of the add-on modules suexec is no longer viable as the only
method of securing scripts and script-like sites.

> > It seems to me that there is a far better method of implementing this type
> > of security strategy. Is it not possible to have apache drop to the user
> > and group specified in the Virtual Hosts directive when performing ANY and
> > ALL operations related to that virtual host? I'm amazed it doesn't work
> > this way now though I admit I have little understanding of the
> > complexities of this issue.
>
> This suggestion comes up every couple months. It will not work for a couple
> reasons:
>
> 1. In order to switch privileges, apache would need to do request processing
> as root. Any bug in the request processing phase could then be a root hole.
>
> 2. Once the privileges are dropped, you can't get them back. Therefore each
> process would be able to serve only a single request before dying. That
> would kill performance. Depending on the setup, it could also make the
> server incapable of handling keep-alive requests.

Apache could (should) start as root and spawn a persistent child process
for each of its virtual hosts running under the users ID as well as its
normal process. These children could further spawn their own children
running under the same ID as needed.

Its the same way it works now except it would be done once for each
Virtual Host that is to run suid. I'd gladly trade the overhead of the
extra processes in order to get this feature.

I suppose I could do this now if I put each Virtual Host on its own IP and
ran a separate Apache for it but that adds the overhead of having a
separate http.conf for each Virtual Host.

> > This would solve a multitude of other issues our users have with
> > permissions and security. Is there any possible way of implementing this
> > now? Does Apache 2.x support this?
>
> There is a "perchild mpm" under development for Apache 2. It handles the
> problem by keeping a pool of processes available under a number of different
> userids and then passing off requests to the correct process. This will be
> slower than the standard MPMs, but far better than your suggestion.
>
> However, the perchild mpm is not yet operational, and I have no idea when it
> will be ready.

Thank you for your comments.

John Lange



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

> From: John Lange [mailto:lists@darkcore.net]
> Apache could (should) start as root and spawn a persistent child process
> for each of its virtual hosts running under the users ID as well as its
> normal process. These children could further spawn their own children
> running under the same ID as needed.
>
> Its the same way it works now except it would be done once for each
> Virtual Host that is to run suid. I'd gladly trade the overhead of the
> extra processes in order to get this feature.

Assuming you are talking about name-virtual hosts here, how do you get the
request to the right process? You can't determine the right process until
after the request has been read. So you need to hand off requests from one
process to another. Once you add that (and the fact that the 2.0 version
is multi-threaded, which allows this to scale much better), you have exactly
what perchild will do.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org