mod_become 1.03

mod_become module enables the web server to take on the access rights of a user & group, so that ~users can make available files to t

Developer:   Anthony Howe       more software by author → Price:  0.00 License:   Free To Use But Restricted File size:   0K Language:    OS:    Rating:   1 /5 (1 votes) Your vote:   enlarge screenshot

mod_become module enables the web server to take on the access rights of a user & group, so that ~users can make available files to the web without having to make them readable by the world on the local file system. This can be useful for sites with a large number of users who want to apply file access controls among themselves. This module can also be applied to virtual hosts, directories, and locations.

When the server is configured with "User root" (see Security), then this module will behave as though the directive "MaxRequestsPerChild 1" were set for the server and "KeepAlive off" were set for the server and every virtual host where a mod_become directive appears, which essentially limits the server and those virtual hosts to HTTP/1.0 behaviour.

Therefore, for each request, this module will setuid() and setgid() the process handling the request based on one of the policies outlined below. Once the request is completed, the process will terminate. The parent server will be responsible for spawning a new child process to handle any future requests.

The source can be compiled to use seteuid() and setegid() instead of setuid() and setgid() (see the top of the Makefile), but is NOT the default. Use of seteuid() and setegid() can improve preformance by avoiding the need to kill the Apache child process between requests, but it DOES have significant security issues. For example modules like mod_php or mod_perl that provide APIs to seteuid() and setegid(), could be used to become root user once again and do what ever they want.

Essentially any module that is part of the Apache process space could revert to root user if they make use of seteuid() and setegid(). It is recommended that within mod_php, mod_perl, and other language modules that these APIs be disabled. CGIs that are launched as a separate process by Apache should, in theory, be safe, since the effective user and group ID become the real user and group ID of the child process and therefore cannot revert back to root (if I understand things correctly).

Configuration

The commands below can be added to the general Apache configuration file, httpd.conf.

User id
Context: global, < VirtualHost >

This is not part of mod_become, but is used to enable or disable mod_become's behaviour, since mod_become can only function when "User root" is specified for the main server configuration. You need to compile Apache with -DBIG_SECURITY_HOLE in order to do this.

Become user id
Become group id
Context: server, < VirtualHost >, < Directory >, < Location >

Specify the user or group to be used by default. When the BecomePolicy is user-group, then these will always be used. If the main server configuration fails to set the default user and group, then an error 503 Service Unavailable and a error log entry may occur should these values be required.

BecomePolicy policy
Context: global, < VirtualHost >, < Directory >, < Location >

Specify the policy used to set the user & group ids of the child process:
file

The user & group of the requested file are used. Not recommend.
user-group

The default user & group specified are used. This is similar in behaviour to the Apache core directives User and Group. This is the default policy.
document-root

The user & group of the server's or virtual host's document root is used.
parent-directory

The user & group of the request's parent directory is used. When the request corresponds to a directory, then it is used instead of its parent.

BecomeRoot boolean
Context: global, < VirtualHost >, < Directory >, < Location >

When true, mod_become will allow the process to operate as root user or group; otherwise a 403 Forbidden error and a error log entry will occur if the process attempts to become root user or group. By default this is set false.

Requirements:

Apache 1.3.x
tags mod become  the user  the server  and setegid  seteuid and  child process  the default  and group  user and  the process  root user  the request  the apache  

Download mod_become 1.03

 http://www.snert.com/Software/mod_become/mod_become103.tgz

Authors software

Similar software

mod_become 1.03 (by Anthony Howe) mod_become module enables the web server to take on the access rights of a user & group, so that ~users can make available files to t

mod_verify 1.4 (by Anthony C Howe) mod_verify Apache module is a ownership & permission verification for Apache 1.3. This module is intended to verify ownership and

mod_vd 2.0 (by Anthony C Howe) mod_vd Apache 2.0 module is similar to mod_vhost_alias, in that it maps the request host name and URI to the file system

mod_ruid 0.6 (by Hideo NAKAMITSU and Pavel Stano) mod_ruid is an Apache module based on mod_suid2 only for linux. -it runs only on linux because afaik only linux has implemented po

mod_chroot 0.5 (by Marek Gutkowski) You don't need to create a special directory hierarchy containing /dev, /lib, /etc... Why chroot? For security. chroot(2) ch

mod_dav_fs_diskquota 20060315 (by Akira YOSHIYAMA) mod_dav_fs_diskquota module is a derived work of mod_dav_fs in Apache 2.0. When it stores files or directories, it changes their o

mod_auth_shadow 1.5 (by Brian Duggan) mod_auth_shadow is an Apache module for authentication using /etc/shadow. When performing this task one encounters one fundamental

mod_auth_shadow2 2.1 (by Brian Duggan) mod_auth_shadow is an Apache module for authentication using /etc/shadow. When performing this task one encounters one fundamental

mod_auth_aix 1.4 (by Markus Zahn) "Loadable Authentication Modules" are AIX's way to extend the identification and authentication functions of the operating system

mod_samoylyk 1.0.2 (by Oleksandr Samoylyk) mod_samoylyk is a dynamic virtual hosting module for Apache What's it for? This module is for a fast (each virtual host with mo

Other software in this category

SquirrelMail 1.5.1 (by The SquirrelMail Project Team) SquirrelMail is a standards-based Webmail package written in PHP4

Tiki CMS/Groupware 1.9.7 (by Luis Argerich)

Downloader for X 2.5.7 (by Chuchelo) Downloader for X is a tool for downloading files from the Internet via both HTT

Links 2.1pre26 (by Martin Pergel) Links is graphics and text mode WWW browser, similar to Lynx

Mozilla Firefox 1.5.0.8 (by Mozilla Project)