[users@httpd] Apache Privilege Separation for WebDAV

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Folks,

I've been doing some work on privilege separation with Apache 1.3
and thought I share it with folk here (could be useful for anyone
who is using WebDAV and apache).

  http://oss.metaparadigm.com/apache-privsep/

The Apache Privilege Separation patch addresses the problem that an
Apache WebDAV server can only write to files as the apache user
(usually something like 'nobody' or 'www'). It addresses this problem
in a secure way by adding privilege separation to the Apache web server
(conceptually similar to ssh privilege separation).

It can be used for instance to allow WebDAV access to ~user directories
and enable the use of per user quotas.

In Privilege Separation mode Apache continues to run as an unprivileged
user although one additional especially secure process runs as 'root'.

The 'root' privileged separated process communicates with the main
apache process via unix sockets and has two purposes.

  Responds to PAM authentication requests (pam_unix authentication is not
  normally possible due to the unprivileged apache process not being
  able to access shadow passwords, but due to the privilege separated
  design this is now possible and secure). Authentication responses include
  a cryptographic cookie which encodes the users credentials and is used in
  successive privileged filesystem requests made to the privsep process.

  Performs privileged filesystem operations on behalf of the unprivileged
  apache process as the privileges of the authenticated user. The crypto
  cookie is verified and then the effective userid is set and the file
  operation is performed. Certain auditable points in the apache and mod_dav
  code have been changed to use the privsep calls which communicate via unix
  sockets (priv_open, priv_unlink, priv_rmdir, etc...). File descriptors
  are passed back over unix sockets for open calls.

Feedback much appreciated.

Regards,
Michael Clark.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux