Privilege Separation for Apache 1.3.34-0.2 review
DownloadPrivilege Separation for Apache patch addresses the problem of an Apache WebDAV server only being able to write files as the apache u
|
|
Privilege Separation for Apache patch addresses the problem of an Apache WebDAV server only being able to write files as the apache user (usually something like 'nobody' or 'www'). It addresses this problem in a secure way by adding privilege separation to the Apache web server (conceptually similar to ssh privilege separation).
A privilege seperated Apache can be used for instance to allow WebDAV access to ~user directories and also to allow the use of unix quotas. WebDAV clients are seamlessly integrated into both Windows and Mac OS X providing a convenient and secure method for remote access.
In Privilege Separation mode Apache continues to run as an unprivileged user although one additional secure process runs as 'root'. The 'root' privileged separated process communicates with the main apache process via unix sockets and has two purposes:
- Responds to PAM authentication requests (pam_unix authentication is not normally possible due to the unprivileged apache process not being able to access shadow passwords, but due to the privilege separated design this is now possible and secure). Authentication responses include a cryptographic cookie which encodes the users credentials and is verified in successive privileged filesystem requests made to the privsep process.
- Performs privileged filesystem operations on behalf of the unprivileged apache process as the privileges of the authenticated user. The cryptographic cookie is verified and then the effective userid is set and the filesystem operation is performed. Certain auditable points in the apache and mod_dav code have been changed to use the privsep calls which communicate via unix sockets (priv_open, priv_unlink, priv_rmdir, etc...). File descriptors are passed back over unix sockets for open calls.
Requirements:
The apache-privsep patches work inconjunction with mod_dav, mod_ssl and pam to provide secure authentication and access to directories exported with privilege separation. The patchset includes a patch for mod_dav.
Note: The apache privsep patch will currently only work on Linux due to internal glibc assumptions on how directory file descriptors are returned from opendir. It should be able to be modified easily for other unices that support file descriptor passing over unix domain sockets (assuming you can get access to directory file descriptors).
Privilege Separation for Apache 1.3.34-0.2 keywords