You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Manoj Kasichainula <ma...@io.com> on 1998/10/19 00:01:56 UTC
listenwrap support
On Dean's listenwrap mods:
On Wed, Oct 07, 1998 at 11:48:00AM -0700, Dean Gaudet wrote:
> I encourage someone to take the above and clean it up for the tree. Given
> that this coredump thing is ubiquitous (it's a security measure) we need a
> generic solution to it. Not to mention that this gives folks a method of
> completely eliminating httpd running as root, not even the parent needs
> root with this.
I've got a patch worked up for this. I extracted the listenwrap stuff
from arctic mods, added support for user and group names as well as
numeric ids, then added most of the work needed for APACI to
automatically configure it. I'll be posting it soon.
> The logging problem can be worked around with a setuid piped logger
> (setuid something other than nobody, doesn't need to be root).
How are you doing this so far? Do you already have a setuid logger
hiding somewhere?
I've been looking at how this should be done if not. If we still want
logs to be written as root, we can just use a setuid root program
which chroots to the log directory and writes to argv[1] (after other
checks of course). But we could also allow avoiding the root user
altogether if we add in the pathname checks from suexec and forget
about chroot. Any preferences?
Also, is there a decent way to do this without a bunch of read and
write calls? I can use sendfile (which works on any fd IIRC) for some
platforms, but not all.
> Or it can be worked around with a more sophisticated listenwrap
> program that opens the logs as well.
Then we'd have complicated code running as root, which we are trying
to avoid. I like the piped logger option more.
--
Manoj Kasichainula - manojk at io dot com - http://www.io.com/~manojk/
"I am J. D. Falk, Sysadmin. I own a web-server and a LART." - Jeff Mercer
Re: listenwrap support
Posted by Dean Gaudet <dg...@arctic.org>.
On Sun, 18 Oct 1998, Manoj Kasichainula wrote:
> Is it worth writing a C version? My tests say a perl version of cat is
> 2.5 times slower than cat, but I don't think it would hurt enough to
> matter.
Yeah I'd write it in C. Also, if it catches HUP, USR1, INT, TERM then it
can actually buffer its writes, the parent will send one of those signals
when its about to restart/die.
As Marc mentions you still need a secret to protect the setuid thing from
being run as anyone... which I think is why I wanted to just handle log
rotation from a simple root program:
open pipes for logs
fork()
-- in child setuid to logger
-- exec logger
open protected ports
fork()
-- in child setuid to httpd
-- exec httpd
loop... replace logger or httpd as either dies
Then log rotation is achieved by killing the logger... which is completely
independant of restarting the server (assuming the logger is written to do
its buffering/signal catching properly).
Dean
Re: listenwrap support
Posted by Manoj Kasichainula <ma...@io.com>.
On Sun, Oct 18, 1998 at 06:59:57PM -0700, Dean Gaudet wrote:
> You mean like:
>
> #!/usr/bin/perl
> $#ARGV == 0 || die "usage: logger filename\n";
> open(LOG, ">>$ARGV[0]") || die "$0: unable to open $ARGV[0] for writing: $!\n";
> print LOG <STDIN>;
>
> and then setuid it to a non-root user who is also not the same as the user
> httpd runs as?
Hmm, if this is owned by the group of the web server and mode 754, or
there's an added check for the current uid, this could work. Needs an
"undef $/" though.
Is it worth writing a C version? My tests say a perl version of cat is
2.5 times slower than cat, but I don't think it would hurt enough to
matter.
> You don't need logs written as root, you just need them written as
> something that's not the samea s httpd.
Right, I was stuck on having root-owned logs still possible to
simulate the old behavior, but there's no reason for that.
But, this would make support for listenwrap in APACI impossible unless we
give it the power to create new users. It can always be set up
manually, though, and Configure would need that anyway.
--
Manoj Kasichainula - manojk at io dot com - http://www.io.com/~manojk/
"You can get more with a kind word and a 2x4 then just a kind word."
-- Marcus, B5
[PATCH] listenwrap support
Posted by Manoj Kasichainula <ma...@io.com>.
On Sun, Oct 18, 1998 at 05:01:56PM -0500, Me at IO wrote:
> I've got a patch worked up for this. I extracted the listenwrap stuff
> from arctic mods, added support for user and group names as well as
> numeric ids, then added most of the work needed for APACI to
> automatically configure it. I'll be posting it soon.
Here it is. I took out the piece of the patch to APACI that makes
apachectl run listenwrap instead of httpd, since it will probably
require a new user id to be setup before it works. Most of this is
Dean's code, though.
I still want to write a setuid logger, hopefully in C.
Thoughts?
--
Manoj Kasichainula - manojk at io dot com - http://www.io.com/~manojk/
"...and as she finally reached orgasm, she screamed 'the mail server
will be down for three hours tonight! Yes! Oh, yes!'" -- J.D. Falk
Re: listenwrap support
Posted by Marc Slemko <ma...@worldgate.com>.
On Sun, 18 Oct 1998, Dean Gaudet wrote:
>
>
> On Sun, 18 Oct 1998, Manoj Kasichainula wrote:
>
> > How are you doing this so far? Do you already have a setuid logger
> > hiding somewhere?
>
> You mean like:
>
> #!/usr/bin/perl
> $#ARGV == 0 || die "usage: logger filename\n";
> open(LOG, ">>$ARGV[0]") || die "$0: unable to open $ARGV[0] for writing: $!\n";
> print LOG <STDIN>;
>
> and then setuid it to a non-root user who is also not the same as the user
> httpd runs as?
Well, you need it a bit more complex than that to avoid anyone from
running it...
>
> You don't need logs written as root, you just need them written as
> something that's not the samea s httpd.
You don't really _want_ them written as root either, but the current code
takes the lazy way out beacuse people would be too hard pressed to
configure two users for Apache.
Re: listenwrap support
Posted by Dean Gaudet <dg...@arctic.org>.
On Sun, 18 Oct 1998, Manoj Kasichainula wrote:
> How are you doing this so far? Do you already have a setuid logger
> hiding somewhere?
You mean like:
#!/usr/bin/perl
$#ARGV == 0 || die "usage: logger filename\n";
open(LOG, ">>$ARGV[0]") || die "$0: unable to open $ARGV[0] for writing: $!\n";
print LOG <STDIN>;
and then setuid it to a non-root user who is also not the same as the user
httpd runs as?
You don't need logs written as root, you just need them written as
something that's not the samea s httpd.
Dean