Mailing List Archive: Apache: Dev

High security

Index | Next | Previous | View Threaded

nickgearls at gmail

Jan 24, 2008, 4:10 AM

Post #1 of 23 (533 views)
Permalink

High security

Hello,

As some may now, ModSecurity adds a very easy and effective way to put
Apache in jail, but chrooting the process after its initialisation, thus
putting all listening processes in jail.
You specify one directive, and the only thing you have to put in the
jail is your htdocs and logs directories; all other files (conf,
modules, httpd, libraries, etc.) are outside of the jail. This is really
top security - it's almost impossible to find something to hack.

Unfortunately, the only thing that does not work is a graceful restart,
as the process has no more access to all normal files.
Couldn't it be possible to separate the main process in 2 - one real
master performing the start/stop/restart, and one "almost main" chrooted
process which would spawn the listening children processes ?
The chrooted process could be implemented in the core, or it could be
left to ModSecurity.

That would be the top security, much more secure than any solution based
on IIS for instance.
Do you think this could be envisioned ?

Thanks,

Nick

colm at allcosts

Jan 24, 2008, 4:16 AM

Post #2 of 23 (521 views)
Permalink

Re: High security [In reply to]

On Thu, Jan 24, 2008 at 01:10:23PM +0100, Nick Gearls wrote:
> You specify one directive, and the only thing you have to put in the
> jail is your htdocs and logs directories; all other files (conf,
> modules, httpd, libraries, etc.) are outside of the jail. This is really
> top security - it's almost impossible to find something to hack.

Well don't kid yourself, it makes privilege escalation by certain routes
much harder, but it's not even clost to almost impossible. There are
many forms of IPC available between the children and the root-level
Apache process anyway, and if you manage to exploit that it's game over
anyway (including breaking out of the jail).

> Unfortunately, the only thing that does not work is a graceful restart,
> as the process has no more access to all normal files.
> Couldn't it be possible to separate the main process in 2 - one real
> master performing the start/stop/restart, and one "almost main" chrooted
> process which would spawn the listening children processes ?
> The chrooted process could be implemented in the core, or it could be
> left to ModSecurity.

It'd be a new MPM.

> That would be the top security, much more secure than any solution based
> on IIS for instance.
> Do you think this could be envisioned ?

Can't see it happening personally.

--
Colm MacCárthaigh Public Key: colm+pgp[at]stdlib.net

ruediger.pluem at vodafone

Jan 24, 2008, 4:50 AM

Post #3 of 23 (521 views)
Permalink

RE: High security [In reply to]

> -----Original Message-----
> From: Colm MacCarthaigh [mailto:colm[at]allcosts.net]
> Sent: Donnerstag, 24. Januar 2008 13:16
> To: dev[at]httpd.apache.org
> Subject: Re: High security
>
> On Thu, Jan 24, 2008 at 01:10:23PM +0100, Nick Gearls wrote:
> > You specify one directive, and the only thing you have to
> put in the
> > jail is your htdocs and logs directories; all other files (conf,
> > modules, httpd, libraries, etc.) are outside of the jail.
> This is really
> > top security - it's almost impossible to find something to hack.
>
> Well don't kid yourself, it makes privilege escalation by
> certain routes
> much harder, but it's not even clost to almost impossible. There are
> many forms of IPC available between the children and the root-level
> Apache process anyway, and if you manage to exploit that it's
> game over
> anyway (including breaking out of the jail).

Yep. chroot was never designed to be a security feature. It can make
things more difficult to leave a jailed area.

See also http://kerneltrap.org/Linux/Abusing_chroot

or have a look at

#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>

int main(int argc, char *argv[])
{
FILE *file;

chroot("/tmp/zw/blah1");
chdir("/");
file = fopen("blah1", "w");
fprintf(file, "Hello\n");
fclose(file);
mkdir("foo", 493);
chroot("foo");
chdir("..");
chdir("blah2");
file = fopen("blah2", "w");
fprintf(file, "Hello\n");
fclose(file);
return 0;
}

which allows you to escape the chroot of /tmp/zw/blah1 if
you are still root at the point of time mkdir is executed
and write a file to /tmp/zw/blah2

Regards

Rüdiger

nickgearls at gmail

Jan 24, 2008, 7:55 AM

Post #4 of 23 (521 views)
Permalink

Re: High security [In reply to]

Yes, chroot could potentially be escaped.
Although, if you chroot the main process, then you spawn child processes
under another userid, like in standard Apache config under Unix, I
expect it to be really very difficult to escape if
1. you are not root
2. if the only files available are log files and htdocs files (even no
HTML files in case of a reverse proxy
Obviously, we could imagine a vulnerability (like a buffer overrun) in
the child Apache process that would send a signal to the main process to
use a second vulnerability, but I really find that chrooting Apache
provides a very good defense.

Now, my main question is "do I add all executables, load modules,
libraries, etc. ?". I need to if I want graceful restart (and you
usually need that in a real production environment). This definitely
higher the risk, so why not trying to improve this ?
Defense in depth is a golden rule in security, no ? So, even if chroot
may not be totally bullet proof, it should, imho, be used. And, if we
want Apache to be as secure as possible, it should be as
"chroot-friendly" as possible.

I hope this could convince some key developers ...

Nick

Plüm wrote:
>
>
>> -----Original Message-----
>> From: Colm MacCarthaigh [mailto:colm[at]allcosts.net]
>> Sent: Donnerstag, 24. Januar 2008 13:16
>> To: dev[at]httpd.apache.org
>> Subject: Re: High security
>>
>> On Thu, Jan 24, 2008 at 01:10:23PM +0100, Nick Gearls wrote:
>>> You specify one directive, and the only thing you have to
>> put in the
>>> jail is your htdocs and logs directories; all other files (conf,
>>> modules, httpd, libraries, etc.) are outside of the jail.
>> This is really
>>> top security - it's almost impossible to find something to hack.
>> Well don't kid yourself, it makes privilege escalation by
>> certain routes
>> much harder, but it's not even clost to almost impossible. There are
>> many forms of IPC available between the children and the root-level
>> Apache process anyway, and if you manage to exploit that it's
>> game over
>> anyway (including breaking out of the jail).
>
> Yep. chroot was never designed to be a security feature. It can make
> things more difficult to leave a jailed area.
>
> See also http://kerneltrap.org/Linux/Abusing_chroot
>
> or have a look at
>
> #include <stdio.h>
> #include <unistd.h>
> #include <sys/stat.h>
> #include <sys/types.h>
>
> int main(int argc, char *argv[])
> {
> FILE *file;
>
> chroot("/tmp/zw/blah1");
> chdir("/");
> file = fopen("blah1", "w");
> fprintf(file, "Hello\n");
> fclose(file);
> mkdir("foo", 493);
> chroot("foo");
> chdir("..");
> chdir("blah2");
> file = fopen("blah2", "w");
> fprintf(file, "Hello\n");
> fclose(file);
> return 0;
> }
>
> which allows you to escape the chroot of /tmp/zw/blah1 if
> you are still root at the point of time mkdir is executed
> and write a file to /tmp/zw/blah2
>
> Regards
>
> Rüdiger
>

rpluem at apache

Jan 24, 2008, 12:33 PM

Post #5 of 23 (517 views)
Permalink

Re: High security [In reply to]

On 01/24/2008 04:55 PM, Nick Gearls wrote:
> Yes, chroot could potentially be escaped.
> Although, if you chroot the main process, then you spawn child processes
> under another userid, like in standard Apache config under Unix, I
> expect it to be really very difficult to escape if
> 1. you are not root
> 2. if the only files available are log files and htdocs files (even no
> HTML files in case of a reverse proxy
> Obviously, we could imagine a vulnerability (like a buffer overrun) in
> the child Apache process that would send a signal to the main process to
> use a second vulnerability, but I really find that chrooting Apache
> provides a very good defense.

It is some kind of defense, but as stated chroot is not really a security tool
(see also http://it.slashdot.org/article.pl?sid=07/09/27/2256235).
Nevertheless, back to your problem. I think there is no gain at all doing
a chroot in the httpd main process which keeps running as root. So IMHO
mod_security is doing the chroot too early by doing it in the post config hook.
I admit that I do not see any other hook at the moment to do this.
But there is a patch in trunk that does chroot only for the child processes,
just before the userid is switched. I haven't tested this so far, but this should
work with graceful restarts. Plus: You do not need to keep your logs in the chroot
jail as the logfiles are opened by the main process.

Patch: http://svn.apache.org/viewvc?view=rev&revision=611483
PR: http://issues.apache.org/bugzilla/show_bug.cgi?id=43596

Regards

Rüdiger

ivan.ristic at gmail

Jan 25, 2008, 3:31 AM

Post #6 of 23 (512 views)
Permalink

Re: High security [In reply to]

I don't think this should be a discussion of whether chroot is worth
using as a security measure. IMHO it should be about allowing Apache
users to make a choice whether they will use chroot in this way or
not. I am usually an advocate for user choice. For example, I am well
aware of the various disadvantages of chroot but I still find some
cases where it is useful. In particular, it is very good in preventing
(or limiting damage from) automated attacks. It is also very good in
significantly raising the effort required to compromise a server after
a successful compromise of the web server installation running on it
(e.g. through a badly written web application).

For the record, I have regretted including the chroot feature in
ModSecurity many times over. Not because of the feature itself (which
-- I still think -- is very useful when the circumstances are right)
but because of the support I was required to provide on the mailing
list over the years. To troubleshoot chroot issues requires a very
good understanding of how things work and takes a lot of time. Subtle
problems may arise with modules that are not expecting to be cut-off
from the filesystem half-way through, or with modules that fork at
startup. With this in mind, I have always felt the reluctance of the
Apache developers to include support for chroot has more to do with
these support issues rather than with any technical reasons. A
compromise might be to create a chroot hook and allow module
developers to use it. This would shift the support burden somewhat
from the core Apache team to those willing to engage the users
providing support.

Personally, I don't really have a need for the internal chroot feature
ever since I discovered the makejail utility (part of Debian, and
maybe other systems), which worked really well for me. On the other
hand, I am interested in getting Apache to drop certain capabilities
(where supported) at startup. I plan to look into it eventually.

On Jan 24, 2008 8:33 PM, Ruediger Pluem <rpluem[at]apache.org> wrote:
>
>
> On 01/24/2008 04:55 PM, Nick Gearls wrote:
> > Yes, chroot could potentially be escaped.
> > Although, if you chroot the main process, then you spawn child processes
> > under another userid, like in standard Apache config under Unix, I
> > expect it to be really very difficult to escape if
> > 1. you are not root
> > 2. if the only files available are log files and htdocs files (even no
> > HTML files in case of a reverse proxy
> > Obviously, we could imagine a vulnerability (like a buffer overrun) in
> > the child Apache process that would send a signal to the main process to
> > use a second vulnerability, but I really find that chrooting Apache
> > provides a very good defense.
>
> It is some kind of defense, but as stated chroot is not really a security tool
> (see also http://it.slashdot.org/article.pl?sid=07/09/27/2256235).
> Nevertheless, back to your problem. I think there is no gain at all doing
> a chroot in the httpd main process which keeps running as root. So IMHO
> mod_security is doing the chroot too early by doing it in the post config hook.
> I admit that I do not see any other hook at the moment to do this.
> But there is a patch in trunk that does chroot only for the child processes,
> just before the userid is switched. I haven't tested this so far, but this should
> work with graceful restarts. Plus: You do not need to keep your logs in the chroot
> jail as the logfiles are opened by the main process.
>
> Patch: http://svn.apache.org/viewvc?view=rev&revision=611483
> PR: http://issues.apache.org/bugzilla/show_bug.cgi?id=43596
>
> Regards
>
> Rüdiger
>
>

--
Ivan Ristic

nick at webthing

Jan 25, 2008, 5:30 AM

Post #7 of 23 (513 views)
Permalink

Re: High security [In reply to]

On Fri, 25 Jan 2008 11:31:32 +0000
"Ivan Ristic" <ivan.ristic[at]gmail.com> wrote:

> I don't think this should be a discussion of whether chroot is worth
> using as a security measure. IMHO it should be about allowing Apache
> users to make a choice whether they will use chroot in this way or
> not.

+1.

> For the record, I have regretted including the chroot feature in
> ModSecurity many times over. Not because of the feature itself (which
> -- I still think -- is very useful when the circumstances are right)
> but because of the support I was required to provide on the mailing
> list over the years. To troubleshoot chroot issues requires a very
> good understanding of how things work and takes a lot of time. Subtle
> problems may arise with modules that are not expecting to be cut-off
> from the filesystem half-way through, or with modules that fork at
> startup.

Thanks for the insight!

Chroot problems are indeed a support issue (though still a fairly
infrequent one) in apache's own support fora. I guess you've relieved
us of some part (maybe most) of that burden.

> With this in mind, I have always felt the reluctance of the
> Apache developers to include support for chroot has more to do with
> these support issues rather than with any technical reasons.

Still more likely: lack of round tuits. Builtin support could still
happen. In fact I recently committed a patch to /trunk/.

> A
> compromise might be to create a chroot hook and allow module
> developers to use it. This would shift the support burden somewhat
> from the core Apache team to those willing to engage the users
> providing support.

Isn't that basically the status quo (mod_security presumably hooks it
in at post_config?)

> Personally, I don't really have a need for the internal chroot feature
> ever since I discovered the makejail utility (part of Debian, and
> maybe other systems), which worked really well for me. On the other
> hand, I am interested in getting Apache to drop certain capabilities
> (where supported) at startup. I plan to look into it eventually.

Can we expect your contributions to the apache core code in the
not-too-distant?

--
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

torsten.foertsch at gmx

Jan 25, 2008, 11:44 PM

Post #8 of 23 (512 views)
Permalink

Re: High security [In reply to]

On Fri 25 Jan 2008, Nick Kew wrote:
> > A
> > compromise might be to create a chroot hook and allow module
> > developers to use it. This would shift the support burden somewhat
> > from the core Apache team to those willing to engage the users
> > providing support.
>
> Isn't that basically the status quo (mod_security presumably hooks it
> in at post_config?)

Sometimes I have missed a ChildPrivilegedInit hook that is run between fork()
and dropping privileges in the worker. That would be the right place to
chroot() I think.

Torsten

ivan.ristic at gmail

Jan 28, 2008, 1:40 AM

Post #9 of 23 (501 views)
Permalink

Re: High security [In reply to]

On Jan 25, 2008 1:30 PM, Nick Kew <nick[at]webthing.com> wrote:
>
> ...
>
> > A
> > compromise might be to create a chroot hook and allow module
> > developers to use it. This would shift the support burden somewhat
> > from the core Apache team to those willing to engage the users
> > providing support.
>
> Isn't that basically the status quo (mod_security presumably hooks it
> in at post_config?)

In ModSecurity I had to use one of the available hooks to execute the
chroot call. As Torsten mentions, that might be a much better place to
do it.

> > Personally, I don't really have a need for the internal chroot feature
> > ever since I discovered the makejail utility (part of Debian, and
> > maybe other systems), which worked really well for me. On the other
> > hand, I am interested in getting Apache to drop certain capabilities
> > (where supported) at startup. I plan to look into it eventually.
>
> Can we expect your contributions to the apache core code in the
> not-too-distant?

Possibly... Maybe I should aim to start with something simpler; for
example, by proposing the suexec chroot patch I have lying around
somewhere.

> --
> Nick Kew
>
> Application Development with Apache - the Apache Modules Book
> http://www.apachetutor.org/
>

--
Ivan Ristic

nickgearls at gmail

Jan 29, 2008, 7:11 AM

Post #10 of 23 (499 views)
Permalink

Re: High security [In reply to]

I'm running the patch for one week on a production server, and it works
perfectly (http://svn.apache.org/viewvc?view=rev&revision=611483).
When using Apache as a reverse proxy, the chroot environment is totally
empty (except libgcc_s.so.1).

Could we include this in next build ?
As it is very limited (basically 3 basic function calls plus the
logging), it is trivial to review.

+1

Regards,

Nick

[.... discussion about chroot effectiveness and letting the final choice
to the user to use it or not ...]

nickgearls at gmail

May 6, 2008, 6:27 AM

Post #11 of 23 (379 views)
Permalink

Re: High security [In reply to]

Just a little adding: by adding "LoadFile libgcc_s.so.1" in httpd.conf,
I don't have any more file in the chroot (except "htdocs" if not in pure
proxy mode).

This feature is really great !
Any reason to not include it ?

Regards,

Nick

Nick Gearls wrote:
> I'm running the patch for one week on a production server, and it works
> perfectly (http://svn.apache.org/viewvc?view=rev&revision=611483).
> When using Apache as a reverse proxy, the chroot environment is totally
> empty (except libgcc_s.so.1).
>
> Could we include this in next build ?
> As it is very limited (basically 3 basic function calls plus the
> logging), it is trivial to review.
>
> +1
>
> Regards,
>
> Nick
>
>
> [.... discussion about chroot effectiveness and letting the final choice
> to the user to use it or not ...]
>

dirkx at webweaving

May 6, 2008, 6:38 AM

Post #12 of 23 (379 views)
Permalink

Re: High security [In reply to]

On May 6, 2008, at 3:27 PM, Nick Gearls wrote:

> Just a little adding: by adding "LoadFile libgcc_s.so.1" in
> httpd.conf, I don't have any more file in the chroot (except
> "htdocs" if not in pure proxy mode).

Is there a patch for the docs as well ? Including above trick ?

>
>
> Nick Gearls wrote:
>> I'm running the patch for one week on a production server, and it
>> works perfectly (http://svn.apache.org/viewvc?view=rev&revision=611483
>> ).
>> When using Apache as a reverse proxy, the chroot environment is
>> totally empty (except libgcc_s.so.1).
>> Could we include this in next build ?
>> As it is very limited (basically 3 basic function calls plus the
>> logging), it is trivial to review.
>> +1
>> Regards,
>> Nick
>> [.... discussion about chroot effectiveness and letting the final
>> choice to the user to use it or not ...]

nickgearls at gmail

May 6, 2008, 7:12 AM

Post #13 of 23 (379 views)
Permalink

Re: High security [In reply to]

If there's a chance to add it, I'm ready to write the doc patch

Nick

Dirk-Willem van Gulik wrote:
>
> On May 6, 2008, at 3:27 PM, Nick Gearls wrote:
>
>> Just a little adding: by adding "LoadFile libgcc_s.so.1" in
>> httpd.conf, I don't have any more file in the chroot (except "htdocs"
>> if not in pure proxy mode).
>
> Is there a patch for the docs as well ? Including above trick ?
>
>>
>>
>> Nick Gearls wrote:
>>> I'm running the patch for one week on a production server, and it
>>> works perfectly (http://svn.apache.org/viewvc?view=rev&revision=611483).
>>> When using Apache as a reverse proxy, the chroot environment is
>>> totally empty (except libgcc_s.so.1).
>>> Could we include this in next build ?
>>> As it is very limited (basically 3 basic function calls plus the
>>> logging), it is trivial to review.
>>> +1
>>> Regards,
>>> Nick
>>> [.... discussion about chroot effectiveness and letting the final
>>> choice to the user to use it or not ...]
>
>

dirkx at webweaving

May 6, 2008, 7:20 AM

Post #14 of 23 (379 views)
Permalink

Re: High security [In reply to]

On May 6, 2008, at 4:12 PM, Nick Gearls wrote:
> If there's a chance to add it, I'm ready to write the doc patch

Lets get that in there - and then lets (or I'll) backport it - so it
goes into the next release.

> Dirk-Willem van Gulik wrote:
>> On May 6, 2008, at 3:27 PM, Nick Gearls wrote:
>>> Just a little adding: by adding "LoadFile libgcc_s.so.1" in
>>> httpd.conf, I don't have any more file in the chroot (except
>>> "htdocs" if not in pure proxy mode).
>> Is there a patch for the docs as well ? Including above trick ?
>>>
>>>
>>> Nick Gearls wrote:
>>>> I'm running the patch for one week on a production server, and it
>>>> works perfectly (http://svn.apache.org/viewvc?view=rev&revision=611483
>>>> ).
>>>> When using Apache as a reverse proxy, the chroot environment is
>>>> totally empty (except libgcc_s.so.1).
>>>> Could we include this in next build ?
>>>> As it is very limited (basically 3 basic function calls plus the
>>>> logging), it is trivial to review.
>>>> +1
>>>> Regards,
>>>> Nick
>>>> [.... discussion about chroot effectiveness and letting the final
>>>> choice to the user to use it or not ...]

Dw.

ruediger.pluem at vodafone

May 6, 2008, 7:44 AM

Post #15 of 23 (379 views)
Permalink

Re: High security [In reply to]

> -----Ursprüngliche Nachricht-----
> Von: Dirk-Willem van Gulik
> Gesendet: Dienstag, 6. Mai 2008 16:20
> An: dev[at]httpd.apache.org
> Betreff: Re: High security
>
>
> On May 6, 2008, at 4:12 PM, Nick Gearls wrote:
> > If there's a chance to add it, I'm ready to write the doc patch
>
> Lets get that in there - and then lets (or I'll) backport it - so it
> goes into the next release.

There is already a backport proposal in the STATUS file:

http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?revision=653778&view=markup

Regards

Rüdiger

dirkx at webweaving

May 6, 2008, 8:00 AM

Post #16 of 23 (378 views)
Permalink

Re: High security [In reply to]

On May 6, 2008, at 4:12 PM, Nick Gearls wrote:
> If there's a chance to add it, I'm ready to write the doc patch

I did below a while ago. May be useful as a start.

Dw

Index: mpm_common.xml
===================================================================
--- mpm_common.xml (revision 653793)
+++ mpm_common.xml (working copy)
@@ -1039,14 +1039,26 @@
<module>prefork</module><module>worker</module></modulelist>

<usage>
- This directive, available in httpd 2.2.9(?) and later, tells the
+ This directive, available in httpd 2.2.9(?) and later on unix,
tells the
server to <var>chroot(8)</var> to the specified directory after
- startup, but before accepting requests over the 'net.
- Note that running the server under chroot is not simple,
- and requires additional setup, particularly if you are running
- scripts such as CGI or PHP. Please make sure you are properly
- familiar with the operation of chroot before attempting to use
- this feature.
+ startup and logfile-opening, but before accepting requests over
the 'net.
+ <note type="warning"><title>Security</title>
+ Note that running the server under chroot is not simple,
+ and requires additional setup, particularly if you are running
+ scripts such as CGI or PHP. Please make sure you are properly
+ familiar with the operation of chroot before attempting to use
+ this feature.
+ </note>
+ In conjunction the <directive module="mod_so">LoadFile</
directive>
+ directive which can be used to load dependencies (for example a
library such as
+ <code>libgcc_s.so.1</code>) prior to the chroot - thus allowing
+ a nearly empty chroot environment. See the <page href="howto/
chroot.html">
+ howto on chroot</page> for more information.
+ for an example.
+ <note><title>Note</title>
+ This directive is only available on unix platforms which
+ support chroot(2).
+ </note>
</usage>
</directivesynopsis>

ruediger.pluem at vodafone

May 6, 2008, 8:03 AM

Post #17 of 23 (379 views)
Permalink

re: High security [In reply to]

> -----Ursprüngliche Nachricht-----
> Von: Dirk-Willem van Gulik
> Gesendet: Dienstag, 6. Mai 2008 17:00
> An: dev[at]httpd.apache.org
> Betreff: Re: High security
>
>
> On May 6, 2008, at 4:12 PM, Nick Gearls wrote:
> > If there's a chance to add it, I'm ready to write the doc patch
>
>
> I did below a while ago. May be useful as a start.

There is already a documentation in trunk for this:

http://svn.apache.org/viewvc?view=rev&revision=639005

Regards

Rüdiger

dirkx at webweaving

May 6, 2008, 8:09 AM

Post #18 of 23 (378 views)
Permalink

Re: High security [In reply to]

On May 6, 2008, at 5:03 PM, Plüm, Rüdiger, VF-Group wrote:
>
>
>> -----Ursprüngliche Nachricht-----
>> Von: Dirk-Willem van Gulik
>> Gesendet: Dienstag, 6. Mai 2008 17:00
>> An: dev[at]httpd.apache.org
>> Betreff: Re: High security
>>
>>
>> On May 6, 2008, at 4:12 PM, Nick Gearls wrote:
>>> If there's a chance to add it, I'm ready to write the doc patch
>>
>>
>> I did below a while ago. May be useful as a start.
>
> There is already a documentation in trunk for this:
>
> http://svn.apache.org/viewvc?view=rev&revision=639005

Aye - I edited on top of that version.

Dw.

nickgearls at gmail

May 6, 2008, 8:10 AM

Post #19 of 23 (379 views)
Permalink

Re: High security [In reply to]

Can you tell me where to find the XML doc file ?
It's not obvious from the site :-(

Thanks,

Nick

Dirk-Willem van Gulik wrote:
>
> On May 6, 2008, at 4:12 PM, Nick Gearls wrote:
>> If there's a chance to add it, I'm ready to write the doc patch
>
> Lets get that in there - and then lets (or I'll) backport it - so it
> goes into the next release.
>
>> Dirk-Willem van Gulik wrote:
>>> On May 6, 2008, at 3:27 PM, Nick Gearls wrote:
>>>> Just a little adding: by adding "LoadFile libgcc_s.so.1" in
>>>> httpd.conf, I don't have any more file in the chroot (except
>>>> "htdocs" if not in pure proxy mode).
>>> Is there a patch for the docs as well ? Including above trick ?
>>>>
>>>>
>>>> Nick Gearls wrote:
>>>>> I'm running the patch for one week on a production server, and it
>>>>> works perfectly
>>>>> (http://svn.apache.org/viewvc?view=rev&revision=611483).
>>>>> When using Apache as a reverse proxy, the chroot environment is
>>>>> totally empty (except libgcc_s.so.1).
>>>>> Could we include this in next build ?
>>>>> As it is very limited (basically 3 basic function calls plus the
>>>>> logging), it is trivial to review.
>>>>> +1
>>>>> Regards,
>>>>> Nick
>>>>> [.... discussion about chroot effectiveness and letting the final
>>>>> choice to the user to use it or not ...]
>
>
> Dw.
>

sctemme at apache

May 6, 2008, 9:36 AM

Post #20 of 23 (378 views)
Permalink

Re: High security [In reply to]

On May 6, 2008, at 8:10 AM, Nick Gearls wrote:

> Can you tell me where to find the XML doc file ?
> It's not obvious from the site :-(

Check out the httpd trunk:

svn co http://svn.apache.org/repos/asf/httpd/httpd/trunk httpd

and the XML file we're talking about will be

httpd/docs/manual/mod/mpm_common.xml

S.

--
Sander Temme
sctemme[at]apache.org
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF

Attachments:

smime.p7s (2.38 KB)

nickgearls at gmail

May 7, 2008, 2:00 AM

Post #21 of 23 (362 views)
Permalink

Re: High security [In reply to]

I propose to add the following:

In the usage:
All config files, logs, etc. are used by the main process and should
thus not be stored in the chroot. Only files used by children listeners
must be present in the chroot.

<note><title>Content of the chroot</title>
The following files must be present in the chroot:
<ul><li>/lib/libgcc_s.so.1 (Linux)</li>
<li>if bind (DNS) is used: /etc/resolv.conf &
/lib/libnss_dns.so.2 (Linux)</li>
<li>if a hosts file is used: /etc/hosts</li>
<li>if both a hosts file and bind (DNS) are used:
/etc/hosts.conf</li>
<li>HTML files (htdocs/ files)</li>
<li>Temporary files used by modules (ex: ModSecurity temp
files)</li>
<li>When using additional modules, other files may be needed</li>
</ul>
Remark: shared object can also be loaded explicitely
in httpd.conf, instead of copying them into the chroot.
When using Apache as a reverse proxy, the chroot could thus potentially
be totally empty.
</note>

Regards,

Nick

Dirk-Willem van Gulik wrote:
>
> On May 6, 2008, at 5:03 PM, Plüm, Rüdiger, VF-Group wrote:
>>
>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Dirk-Willem van Gulik
>>> Gesendet: Dienstag, 6. Mai 2008 17:00
>>> An: dev[at]httpd.apache.org
>>> Betreff: Re: High security
>>>
>>>
>>> On May 6, 2008, at 4:12 PM, Nick Gearls wrote:
>>>> If there's a chance to add it, I'm ready to write the doc patch
>>>
>>>
>>> I did below a while ago. May be useful as a start.
>>
>> There is already a documentation in trunk for this:
>>
>> http://svn.apache.org/viewvc?view=rev&revision=639005
>
>
> Aye - I edited on top of that version.
>
> Dw.

dirkx at webweaving

May 7, 2008, 3:42 AM

Post #22 of 23 (351 views)
Permalink

Re: High security [In reply to]

On May 7, 2008, at 11:00 AM, Nick Gearls wrote:
> I propose to add the following:
>
> In the usage:
> All config files, logs, etc. are used by the main process and should
> thus not be stored in the chroot. Only files used by children
> listeners must be present in the chroot.
>
> <note><title>Content of the chroot</title>
> The following files must be present in the chroot:
> <ul><li>/lib/libgcc_s.so.1 (Linux)</li>
> <li>if bind (DNS) is used: /etc/resolv.conf & /lib/
> libnss_dns.so.2 (Linux)</li>
> <li>if a hosts file is used: /etc/hosts</li>
> <li>if both a hosts file and bind (DNS) are used: /etc/
> hosts.conf</li>
> <li>HTML files (htdocs/ files)</li>
> <li>Temporary files used by modules (ex: ModSecurity temp
> files)</li>
> <li>When using additional modules, other files may be
> needed</li>
> </ul>
> Remark: shared object can also be loaded explicitely
> in httpd.conf, instead of copying them into the chroot.
> When using Apache as a reverse proxy, the chroot could thus
> potentially
> be totally empty.
> </note>

I was sort of hoping for a separate how-to page; with the exact 'chmod/
own' settings, groups
you need to create, information about the log file locations/
ownership, the ownership of the
cache directories and so on.

Dw,.

info at ch2o

May 7, 2008, 2:33 PM

Post #23 of 23 (350 views)
Permalink

Re: High security [In reply to]

hi all,

sorry to enter so later in the discution...

i'm ok with you torsten (+1), i think is the good place to do it, think
adding hook like pre_childinit that occure before unixd_setup_child

remove the root rigth (in child_init you lost the root right juste
before) can be more generic way. and after use this hook to do
implemente the chroot option as loadable module.
and i think can be usefull for other module to have chance to use root
right juste before is removed in child_init...

existe other implementation of chroot in apache and i think many
interesting hints to use chroot in apache are in the page of mod_chroot:
http://core.segfault.pl/~hobbit/mod_chroot/caveats.html
i think is interesting to add some of this in the documentation also...

and loadfile of libgcc_s.so.1 is only needed in threaded mpm version.
because the thread lib use some symbole of libgcc_s.so.1 that are
autoloaded in child when create thread after unixd_setup_child occure...

i've made modified version (at 02/08) of mod_chroot that work like your
modification (chrooting juste before seting up setuid in the

child) but without modifying apache code and working with ap 2.0 and 2.2...

it work like that, i save the unixd_config.user_id in pre_mpm hook, and
force it to 0 (root), in that way in child_init root your are root

(unixd_setup_child skip changing user_id)!
like i can do the chroot in child_init hook, and restore
unixd_config.user_id and redo unixd_setup_child to remove root right.

i think an other modification must be done to be complete... is to
modify the way DocumentRoot global context cmd check if the path is

directory or not, will be very good, to check document root path in
chroot directory relative in place of server_root if chroot option is

activated.

without that modification you must have DocumentRoot in the chroot path
and outside the chroot path like that :
if chroot dir is /var/chroot and globale document root to
/var/chroot/www in httpd.conf
your globale document root point to /var/chroot/www/var/chroot/www.

with that modification you can set globale document root in the jail
path without problem...

a work around exist... using documentroot in virtualhost...
in vhost you can use path in the jail without problem because
documentroot cmd in the jail are executed
when vhost are checked... far later from the point the chroot occure
(juste before unixd_setup_child)...

in that way can be possible to set globale DocumentRoot to same dir of
chroot, and use only vhost to specify Document root directory...

but is not completely transparent because you must set a fake globale
document root that exist ouside the jail and you are obliged to use

vhost...

in my mod_chroot modification in correcte all path transparantly on the
fly (in translate hook, and map_to_storage hook) to work around

this (to do it without modification in apache code!)...but is more havy
modification... and more risky...

Regards,
Mathieu

------------------------------------------------------------------------
*From:* Torsten Foertsch
*Sent:* Sat, 26 Jan 2008 08:44:17 +0100

On Fri 25 Jan 2008, Nick Kew wrote:
> > A
> > compromise might be to create a chroot hook and allow module
> > developers to use it. This would shift the support burden somewhat
> > from the core Apache team to those willing to engage the users
> > providing support.
>
> Isn't that basically the status quo (mod_security presumably hooks it
> in at post_config?)

Sometimes I have missed a ChildPrivilegedInit hook that is run
between fork()
and dropping privileges in the worker. That would be the right place to
chroot() I think.

Torsten

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com