You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Jordi Prats <jo...@gmail.com> on 2009/12/15 19:27:22 UTC

apache module's privileges

Hi all,
I've a question about module's permissions. A module with a hook on
post_config like this:

static int sixs_code_config(apr_pool_t *p, apr_pool_t *log, apr_pool_t
*temp, server_rec *s)
{
        system("id >/tmp/id_apache_baltar");
        return OK;
}

ap_hook_post_config(sixs_code_config, NULL, NULL, APR_HOOK_FIRST);

If you start apache with root as usual, you realize that every module
is able to run code with root privileges:

# cat /tmp/id_apache_baltar
uid=0(root) gid=0(root)

Why is coded this way? Shouldn't run with lower privileges? Maybe some
modules need root privileges, coudn't be a config option to lower
permissions or not to do so?

regards,
-- 
Jordi

Re: apache module's privileges

Posted by Jordi Prats <jo...@gmail.com>.

On Tue, Dec 15, 2009 at 9:33 PM, Graham Dumpleton
<gr...@gmail.com> wrote:
>
> There is a lot more to it than that.
>
> Parts of the code of an Apache module that are run in Apache parent
> process will run as that user, normally root, but handling of actual
> requests in an Apache worker process are done as less privileged user.
>
> Suggest OP read:
>
>  http://www.fmc-modeling.org/category/projects/apache/amp/Apache_Modeling_Project.html

Thank you! It seems quite interesting!



>  to understand the whole life cycle of Apache configuration and
> initialisation, and of separate per request life cycle.
>
> Graham
>



-- 
Jordi

Re: apache module's privileges

Posted by Dan Poirier <po...@pobox.com>.

Graham Dumpleton <gr...@gmail.com> writes:

> 2009/12/16 Dan Poirier <po...@pobox.com>:
>> Jordi Prats <jo...@gmail.com> writes:
>>
>>> If you start apache with root as usual, you realize that every module
>>> is able to run code with root privileges:
>> ...
>>> Why is coded this way? Shouldn't run with lower privileges?
>>
>> No. That's not the purpose of apache modules.
>
> There is a lot more to it than that.

Well, yeah, but the main misconception seemed to be that the purpose of
Apache modules was to limit the privileges available to modules.
("Shouldn't [sic] run with lower privileges?")  In reality if you run
Apache as root and load a module, that module can do anything it wants
as root, and that's by design, not an inherent flaw in Apache.

Re: apache module's privileges

Posted by Graham Dumpleton <gr...@gmail.com>.

2009/12/16 Dan Poirier <po...@pobox.com>:
> Jordi Prats <jo...@gmail.com> writes:
>
>> If you start apache with root as usual, you realize that every module
>> is able to run code with root privileges:
> ...
>> Why is coded this way? Shouldn't run with lower privileges?
>
> No.  That's not the purpose of apache modules.

There is a lot more to it than that.

Parts of the code of an Apache module that are run in Apache parent
process will run as that user, normally root, but handling of actual
requests in an Apache worker process are done as less privileged user.

Suggest OP read:

  http://www.fmc-modeling.org/category/projects/apache/amp/Apache_Modeling_Project.html

 to understand the whole life cycle of Apache configuration and
initialisation, and of separate per request life cycle.

Graham

Re: apache module's privileges

Posted by Dan Poirier <po...@pobox.com>.

Jordi Prats <jo...@gmail.com> writes:

> If you start apache with root as usual, you realize that every module
> is able to run code with root privileges:
...
> Why is coded this way? Shouldn't run with lower privileges? 

No.  That's not the purpose of apache modules.

Re: apache module's privileges

Posted by Graham Leggett <mi...@sharp.fm>.

Jordi Prats wrote:

> I've a question about module's permissions. A module with a hook on
> post_config like this:
> 
> static int sixs_code_config(apr_pool_t *p, apr_pool_t *log, apr_pool_t
> *temp, server_rec *s)
> {
>         system("id >/tmp/id_apache_baltar");
>         return OK;
> }
> 
> ap_hook_post_config(sixs_code_config, NULL, NULL, APR_HOOK_FIRST);
> 
> If you start apache with root as usual, you realize that every module
> is able to run code with root privileges:
> 
> # cat /tmp/id_apache_baltar
> uid=0(root) gid=0(root)
> 
> Why is coded this way? Shouldn't run with lower privileges? Maybe some
> modules need root privileges, coudn't be a config option to lower
> permissions or not to do so?

The way it works is that the server runs with root priviledges when the
server starts, and root is used to bind to priviledged ports, open
logfiles and do various tasks that require elevated priviledges.

When the startup phase is complete, the server drops its root
privileges, and at that point it starts to serve requests, in a reduced
privilege environment.

The code you quote above is run as part of the startup phase of the server.

You've said "module's permissions" above, the purpose of modules are to
extend the funcionality of the server, they do not represent a security
boundary of any kind.

Regards,
Graham
--