You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Michael Clark <mi...@metaparadigm.com> on 2006/01/08 03:42:24 UTC

[RFC] Apache Privilege Separation 1.3.34-0.2

Hi Folks,

We've been doing some work on privilege separation with Apache 1.3
and thought we'd share it with folk here. Not expecting this work
to be integrated (as it relies on external mod_dav module), although it
could serve as some groundwork for something similar in Apache 2.1

I posted here some months ago regarding this (would like some feedback,
please cc' me as i'm not on the list). I've now updated the code to
Apache 1.3.34 and it is available here:

  http://oss.metaparadigm.com/apache-privsep/

The Apache Privilege Separation patch addresses the problem that an
Apache WebDAV server can only write to files as the apache user
(usually something like 'nobody' or 'www'). It addresses this problem
in a secure way by adding privilege separation to the Apache web server
(conceptually similar to ssh privilege separation).

It can be used for instance to allow WebDAV access to ~user directories
and enable the usage of per user quotas.

In Privilege Separation mode Apache continues to run as an unprivileged
user although one additional especially secure process runs as 'root'.

The 'root' privileged separated process communicates with the main
apache process via unix sockets and has two purposes.

  Responds to PAM authentication requests (pam_unix authentication is not
  normally possible due to the unprivileged apache process not being
  able to access shadow passwords, but due to the privilege separated
  design this is now possible and secure). Authentication responses include
  a cryptographic cookie which encodes the users credentials and is used in
  successive privileged filesystem requests made to the privsep process.

  Performs privileged filesystem operations on behalf of the unprivileged
  apache process as the privileges of the authenticated user. The crypto
  cookie is verified and then the effective userid is set and the file
  operation is performed. Certain auditable points in the apache and mod_dav
  code have been changed to use the privsep calls which communicate via unix
  sockets (priv_open, priv_unlink, priv_rmdir, etc...). File descriptors
  are passed back over unix sockets for open calls.

Feedback much appreciated.

Regards,
Michael Clark.