jille at quis
May 8, 2008, 10:17 AM
Post #4 of 6
(259 views)
Permalink
|
|
Re: User/group security without CGI (SuEXEC)
[In reply to]
|
|
Lazy wrote:
> 2008/5/5 Jille Timmermans <jille[at]quis.cx>:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hello hackers!
>>
>> I was thinking of creating a more secure environment for running
>> webscripts (mod_php in my case),
>> I want to run php scripts as their owner.
>>
>> I tought of the following scheme's:
>> http://junk.quis.cx/fViKmLRi/apache-user-scheme-p1.png
>> http://junk.quis.cx/bPkxwAbI/apache-user-scheme-p2.png
>>
>> And an setting:
>> ExecutiveUser %n # This should run php scripts as $script-owner
>> ExecutiveUser www-%n # this should run php scripts as www-$scriptowner
>> ExecutiveGroup www
>> ExecutiveGroup www-%n
>> (%n meaning the script-owners username, and eg %u for the script-owners
>> uid)
>>
>> This would (eg) enable me to:
>> quis[at]istud:~# id
>> uid=1000(quis) gid=1000(users) groups=1000(users),10000(www-quis)
>> quis[at]istud:~# id www-quis
>> uid=10000(www-quis) gid=10000(www-quis) groups=10000(www-quis)
>> quis[at]istud:~# chown quis:www-quis public_html
>> quis[at]istud:~# chmod 750 public_html
>>
>> So only 'my' apache-runas user can access my scripts.
>>
>> How do you think about this idea ?
>> It does decrease the performance a bit (Workers should parse the
>> request, put it in some shm, Executive should pick it up from the shm
>> and really run the php-script (See the links above for the terms Worker
>> and Executive)
>> But if the option is not specified it is possible to do it 'the old way'.
>> Would it be possible to implement this as an MPM, or MOD ?
>> (I don't know enough (yet) of apache to say that.)
>> If that is possible there is no loss when it is disabled.
> take a look at peruser (http://www.telana.com/peruser.php)
>
> It supports ssl, keep-alive, chroot and chuid per vhost
>
> in simple configurations it seems to work out of the box with some quirks
> 1) graceful segfaults (apache continues to work)
> 2) on machines with multiple processors it hangs badly on gaceful restarts
> 3) some minor issues with ssl cache
>
> last week, I think I ironed out 1 & 2 graceful's work flawlessly on a
> busy webserwer (2xdc opteron) (around 300 diferent users with many
> more vhosts).
>
> Sadly support list for peruser seems to be dead and latest patch is
> based on 2.2.3.
>
> I fixed 2 race conditions, added limited support for ssl for
> NamevirtualHosts and did some minor patches.
>
> All without answer so i guess peruser isn't in active development anymore.
>
> There is still an memory leak to plug, maybe my patches did some wrong
> but for now it's not a big headache.
>
> Peruser now for me is quite usable, i have some ideas to improve it. I
> will do it anyway because i need it for my work.
>
> Somebody told me to fork it, but will anyone care ?
I would really like to run it myself,
and I know a few others who would also like it.
I am willing to help you, however I don't know how.
My C skills are not that good, so I can't do it on my own.
I might be able to kill bugs if apache crashes and I can get a backtrace.
I can help you test it on FreeBSD, (FreeBSD jails are quite useful for
testing).
I think peruser would be a nice feature for apache, it would be a shame
if it got abandoned.
-- Jille
|
