You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2009/04/14 10:31:15 UTC

DO NOT REPLY [Bug 47021] New: A new MPM (security) and mod_selinux module

https://issues.apache.org/bugzilla/show_bug.cgi?id=47021

           Summary: A new MPM (security) and mod_selinux module
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: kaigai@ak.jp.nec.com


We intend to execute web-applications under the restrictive privileges
(necessary minimum, if possible) to prevent system resources are unexpectedly
accessed using buggy web-applications.

The new MPM (security) spawns a one-time process for each connection, and it
gives third-party modules a chance to assign individual privileges prior to
invocation of content handlers.

The existing MPM reuses a process or thread to handle multiple requests more
than once. It gives us benefit from the perspective of performance, but it also
gives us a headache issue. Some of enhanced security mechanism (such as
SELinux) does not allow processes to revert its privileges, even if it is
dynamically changed, so it means we cannot reuse a process which already
handled a request at least.

The mod_selinux is a proof of concept. It assigns individual security context
(privileges in SELinux) based on the result of http-authentication, prior to
the invocation of web-application but after the authentication.

The MPM is implemented based on the prefork with a bit of hacks.

- httpd-mpm_security-copied.090414.patch
  It is just a copy from prefork/ to security/.
- httpd-mpm_security-modified.090414.patch
  It is a differences from the original prefork.
- httpd-mod_selinux.090414.patch
  It is the implementation of mod_selinux module

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47021] A new MPM (security) and mod_selinux module

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47021


KaiGai Kohei <ka...@ak.jp.nec.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |PatchAvailable




-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47021] A new MPM (security) and mod_selinux module

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47021





--- Comment #5 from KaiGai Kohei <ka...@ak.jp.nec.com>  2009-04-14 07:00:30 PST ---
(In reply to comment #4)
> Any chance mod_selinux could assign privileges based on virtual-host, instead
> of (or in-addition to) http-authentication ?

The mod_selinux.so provide the following two configuration parameters:
- selinuxConfigFile
 It specifies the filename which defines associations between
 http-authentication and domain/range of SELinux.

- selinuxDefaultDomain
 It specifies the fallback domain/range of SELinux, when we have no
 configuration file or no matched entry.

If you put only selinuxDefaultDomain within virtual host definition,
it means we can assign a certain security context per virtual host.

> That would make it very interesting for for web-hosting, where you can give
> guest_t logins to your users, and only let them edit/see their own
> virtual-host's DocumentRoot both for ssh-sessjons and web-sessions.

I also think it is worthful and interesting use-case.
(Needless to say, it also need some reworks for security policy.)

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47021] A new MPM (security) and mod_selinux module

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47021





--- Comment #2 from KaiGai Kohei <ka...@ak.jp.nec.com>  2009-04-14 01:32:32 PST ---
Created an attachment (id=23485)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23485)
Differences from the original prefork

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47021] A new MPM (security) and mod_selinux module

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47021





--- Comment #4 from Jan-Frode Myklebust <ja...@tanso.net>  2009-04-14 02:07:03 PST ---
Any chance mod_selinux could assign privileges based on virtual-host, instead
of (or in-addition to) http-authentication ?

That would make it very interesting for for web-hosting, where you can give
guest_t logins to your users, and only let them edit/see their own
virtual-host's DocumentRoot both for ssh-sessjons and web-sessions.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47021] A new MPM (security) and mod_selinux module

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47021





--- Comment #1 from KaiGai Kohei <ka...@ak.jp.nec.com>  2009-04-14 01:31:58 PST ---
Created an attachment (id=23484)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23484)
Just a copy from prefork to security

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47021] A new MPM (security) and mod_selinux module

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47021





--- Comment #3 from KaiGai Kohei <ka...@ak.jp.nec.com>  2009-04-14 01:33:27 PST ---
Created an attachment (id=23486)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23486)
A module to assign SELinux's security context

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47021] A new MPM (security) and mod_selinux module

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47021


KaiGai Kohei <ka...@ak.jp.nec.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




--- Comment #6 from KaiGai Kohei <ka...@ak.jp.nec.com>  2009-06-01 16:34:58 PST ---
It can be achieved in another approach.

See the mod_selinux.so at:
  http://code.google.com/p/sepgsql/wiki/Apache_SELinux_plus

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org