You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2009/04/14 10:31:15 UTC
DO NOT REPLY [Bug 47021] New: A new MPM (security) and mod_selinux
module
https://issues.apache.org/bugzilla/show_bug.cgi?id=47021
Summary: A new MPM (security) and mod_selinux module
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Core
AssignedTo: bugs@httpd.apache.org
ReportedBy: kaigai@ak.jp.nec.com
We intend to execute web-applications under the restrictive privileges
(necessary minimum, if possible) to prevent system resources are unexpectedly
accessed using buggy web-applications.
The new MPM (security) spawns a one-time process for each connection, and it
gives third-party modules a chance to assign individual privileges prior to
invocation of content handlers.
The existing MPM reuses a process or thread to handle multiple requests more
than once. It gives us benefit from the perspective of performance, but it also
gives us a headache issue. Some of enhanced security mechanism (such as
SELinux) does not allow processes to revert its privileges, even if it is
dynamically changed, so it means we cannot reuse a process which already
handled a request at least.
The mod_selinux is a proof of concept. It assigns individual security context
(privileges in SELinux) based on the result of http-authentication, prior to
the invocation of web-application but after the authentication.
The MPM is implemented based on the prefork with a bit of hacks.
- httpd-mpm_security-copied.090414.patch
It is just a copy from prefork/ to security/.
- httpd-mpm_security-modified.090414.patch
It is a differences from the original prefork.
- httpd-mod_selinux.090414.patch
It is the implementation of mod_selinux module
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 47021] A new MPM (security) and mod_selinux module
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47021
KaiGai Kohei <ka...@ak.jp.nec.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |PatchAvailable
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 47021] A new MPM (security) and mod_selinux module
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47021
--- Comment #5 from KaiGai Kohei <ka...@ak.jp.nec.com> 2009-04-14 07:00:30 PST ---
(In reply to comment #4)
> Any chance mod_selinux could assign privileges based on virtual-host, instead
> of (or in-addition to) http-authentication ?
The mod_selinux.so provide the following two configuration parameters:
- selinuxConfigFile
It specifies the filename which defines associations between
http-authentication and domain/range of SELinux.
- selinuxDefaultDomain
It specifies the fallback domain/range of SELinux, when we have no
configuration file or no matched entry.
If you put only selinuxDefaultDomain within virtual host definition,
it means we can assign a certain security context per virtual host.
> That would make it very interesting for for web-hosting, where you can give
> guest_t logins to your users, and only let them edit/see their own
> virtual-host's DocumentRoot both for ssh-sessjons and web-sessions.
I also think it is worthful and interesting use-case.
(Needless to say, it also need some reworks for security policy.)
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 47021] A new MPM (security) and mod_selinux module
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47021
--- Comment #2 from KaiGai Kohei <ka...@ak.jp.nec.com> 2009-04-14 01:32:32 PST ---
Created an attachment (id=23485)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=23485)
Differences from the original prefork
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 47021] A new MPM (security) and mod_selinux module
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47021
--- Comment #4 from Jan-Frode Myklebust <ja...@tanso.net> 2009-04-14 02:07:03 PST ---
Any chance mod_selinux could assign privileges based on virtual-host, instead
of (or in-addition to) http-authentication ?
That would make it very interesting for for web-hosting, where you can give
guest_t logins to your users, and only let them edit/see their own
virtual-host's DocumentRoot both for ssh-sessjons and web-sessions.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 47021] A new MPM (security) and mod_selinux module
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47021
--- Comment #1 from KaiGai Kohei <ka...@ak.jp.nec.com> 2009-04-14 01:31:58 PST ---
Created an attachment (id=23484)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=23484)
Just a copy from prefork to security
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 47021] A new MPM (security) and mod_selinux module
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47021
--- Comment #3 from KaiGai Kohei <ka...@ak.jp.nec.com> 2009-04-14 01:33:27 PST ---
Created an attachment (id=23486)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=23486)
A module to assign SELinux's security context
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 47021] A new MPM (security) and mod_selinux module
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47021
KaiGai Kohei <ka...@ak.jp.nec.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #6 from KaiGai Kohei <ka...@ak.jp.nec.com> 2009-06-01 16:34:58 PST ---
It can be achieved in another approach.
See the mod_selinux.so at:
http://code.google.com/p/sepgsql/wiki/Apache_SELinux_plus
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org