manual/mod/mod_privileges.xml

<?xml version="1.0"?>
<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
<!-- $LastChangedRevision$ -->

<!--
 Licensed to the Apache Software Foundation (ASF) under one or more
 contributor license agreements.  See the NOTICE file distributed with
 this work for additional information regarding copyright ownership.
 The ASF licenses this file to You under the Apache License, Version 2.0
 (the "License"); you may not use this file except in compliance with
 the License.  You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
-->

<modulesynopsis metafile="mod_privileges.xml.meta">

<name>mod_privileges</name>
<description>Support for Solaris privileges and for running virtual hosts
under different user IDs.</description>
<status>Experimental</status>
<identifier>privileges_module</identifier>
<compatibility>Available in Apache 2.3 and up, on Solaris 10 and
OpenSolaris platforms</compatibility>

<summary>
<p>This module enables different Virtual Hosts to run with different
Unix&trade; <var>User</var> and <var>Group</var> IDs, and with different
<a href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
>Solaris Privileges</a>.  In particular, it offers a solution to the
problem of privilege separation between different Virtual Hosts, first
promised by the abandoned perchild MPM.  It also offers other security
enhancements.</p>

<p>Unlike perchild, <module>mod_privileges</module>
is not itself an MPM.  It works <em>within</em> a processing model to
set privileges and User/Group <em>per request</em> in a running process.
It is therefore not compatible with a threaded MPM, and will refuse
to run under one.</p>

<p><module>mod_privileges</module> raises security issues similar to
those of <a href="../suexec.html">suexec</a>.  But unlike suexec,
it applies not only to CGI programs but to the entire request processing
cycle, including in-process applications and subprocesses.
It is ideally suited to running PHP applications under <strong>mod_php</strong>,
which is also incompatible with threaded MPMs.  It is also well-suited
to other in-process scripting applications such as <strong>mod_perl</strong>,
<strong>mod_python</strong>, and <strong>mod_ruby</strong>, and to
applications implemented in C as apache modules where privilege
separation is an issue.</p>

</summary>

<section id="security"><title>Security Considerations</title>
<p>There are three principal security concerns with mod_privileges:</p>
<ul><li>Running as a system user introduces the same security issues
    as mod_suexec, and near-equivalents such as cgiwrap and suphp.</li>
<li>A privileges-aware malicious user extension (module or script)
    could escalate its privileges to anything available to the
    httpd process in any virtual host.</li>
<li>A privileges-aware malicious user extension (module or script)
    could escalate privileges to set its user ID to another
    system user (and/or group).</li>
</ul>

<p>The first is amply discussed in the suexec page and elsewhere, and
doesn't need repeating here.  The second and third boil down to one
principle: ensure no untrusted privileges-aware code can be loaded.
</p>

<p>There are several ways privileges-aware code could be loaded into Apache:</p>
<ul>
<li>within the base system (e.g. mod_privileges itself if statically linked).</li>
<li>Loaded at startup using a LoadModule or LoadFile directive.</li>
<li>Loaded at startup indirectly by an application module such as mod_php.</li>
<li>Loaded at runtime by an application module or script.</li>
</ul>

<p>What gets loaded at startup is under the control of the sysop, and
relatively easy to deal with.  A tool will be provided to audit your
installation.  That leaves code loaded in the course of processing a
request as the threat.  There is unfortunately no generic way apache
can control what a script running under an application module can load,
so you should use the security provided by your scripting module
and language.</p>

<section><title>Security with mod_php</title>

<p>There is no known PHP extension supporting Solaris privileges, so it
is unlikely that a script could escalate privileges unless it can
load external (non-PHP) privileges-aware code.  However, you should
nevertheless audit your mod_php installation.</p>

<p>To prevent scripts loading privileges-aware code, PHP's dl() function
should be disabled.  This is automatic in safe mode.</p>

</section>

<section><title>Security with mod_perl</title>

<p>Perl has an extension Sun::Solaris::Privileges that exposes the privileges
API to scripts.  You should ensure this extension is NOT installed if you
have untrusted users.</p>

<p>You will also need to ensure that your users cannot load shared objects
(including PerlXS) from their own user directories, or that if this is
enabled, the entire user-space must be carefully audited.</p>
</section>

<section><title>Security with mod_python</title>

<p>There is no known Python extension supporting Solaris privileges, so it
is unlikely that a script could escalate privileges unless it can
load external (non-Python) privileges-aware code.  However, you should
nevertheless audit your mod_ruby installation.</p>

<p>*** What are the issues of Python loading a shared object?</p>
</section>

<section><title>Security with mod_ruby</title>

<p>There is no known Ruby extension supporting Solaris privileges, so it
is unlikely that a script could escalate privileges unless it can
load external (non-Ruby) privileges-aware code.  However, you should
nevertheless audit your mod_ruby installation.</p>

<p>*** What are the issues of Ruby loading a shared object?</p>
</section>

<section><title>Security with Lua/mod_wombat</title>

<p>???</p>
</section>
<section><title>Security with scripts</title>
<p>The security issues of mod_privileges do not affect scripts such as
traditional CGI, which run in a separate process.  That includes
PHP, Perl, Python, Ruby, etc, run out-of-process.</p>
</section>
</section>
<directivesynopsis>
<name>VHostUser</name>
<description>Sets the User ID under which a virtual host runs.</description>
<syntax>VHostUser <var>unix-userid</var></syntax>
<default>Inherits the userid specified in
<directive module="mod_unixd">User</directive></default>
<contextlist><context>virtual host</context></contextlist>
<compatibility>Available on Solaris 10 and OpenSolaris with
non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>

<usage>
    <p>The <directive>VHostUser</directive> directive sets the Unix userid
    under which the server will process requests to a virtualhost.
    The userid is set before the request is processed and reset afterwards
    using <a
    href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
    >Solaris Privileges</a>.  Since the setting applies to the
    <em>process</em>, this is not compatible with threaded MPMs.</p>
    <p><var>Unix-userid</var> is one of:</p>
    <dl>
      <dt>A username</dt>
      <dd>Refers to the given user by name.</dd>

      <dt><code>#</code> followed by a user number.</dt>
      <dd>Refers to a user by its number.</dd>
    </dl>

    <note type="warning"><title>Security</title>
    <p>This directive cannot be used to run apache as root!
    Nevertheless, it opens potential security issues similar to
    those discussed in the <a href="../suexec.html">suexec</a>
    documentation.</p></note>
</usage>
<seealso><directive module="mod_unixd">User</directive></seealso>
<seealso><directive module="mod_suexec">SuexecUserGroup</directive></seealso>
</directivesynopsis>

<directivesynopsis>
<name>VHostGroup</name>
<description>Sets the Group ID under which a virtual host runs.</description>
<syntax>VHostGroup <var>unix-groupid</var></syntax>
<default>Inherits the group id specified in
<directive module="mod_unixd">Group</directive></default>
<contextlist><context>virtual host</context></contextlist>
<compatibility>Available on Solaris 10 and OpenSolaris with
non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>

<usage>
    <p>The <directive>VHostGroup</directive> directive sets the Unix group
    under which the server will process requests to a virtualhost.
    The group is set before the request is processed and reset afterwards
    using <a
    href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
    >Solaris Privileges</a>.  Since the setting applies to the
    <em>process</em>, this is not compatible with threaded MPMs.</p>
    <p><var>Unix-group</var> is one of:</p>
    <dl>
      <dt>A group name</dt>
      <dd>Refers to the given group by name.</dd>

      <dt><code>#</code> followed by a group number.</dt>
      <dd>Refers to a group by its number.</dd>
    </dl>

    <note type="warning"><title>Security</title>
    <p>This directive cannot be used to run apache as root!
    Nevertheless, it opens potential security issues similar to
    those discussed in the <a href="../suexec.html">suexec</a>
    documentation.</p></note>
</usage>
<seealso><directive module="mod_unixd">Group</directive></seealso>
<seealso><directive module="mod_suexec">SuexecUserGroup</directive></seealso>
</directivesynopsis>

<directivesynopsis>
<name>VHostSecure</name>
<description>Determines whether the server runs with enhanced security
for the virtualhost.</description>
<syntax>VHostSecure On|Off</syntax>
<default>VHostSecure On</default>
<contextlist><context>virtual host</context></contextlist>
<compatibility>Available on Solaris 10 and OpenSolaris with
non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>

<usage>
    <p>Determines whether the virtual host processes requests with
    security enhanced by removal of <a
    href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
    >Privileges</a> that are rarely needed in a webserver, but which are
    available by default to a normal Unix user and may therefore
    be required by modules and applications.  It is recommended that
    you retain the default (On) unless it prevents an application running.
    Since the setting applies to the <em>process</em>, this is not
    compatible with threaded MPMs.</p>
    <note><title>Note</title>
    <p>If <directive>VHostSecure</directive> prevents an application
    running, this may be a warning sign that the application should be
    reviewed for security.</p></note>
</usage>
</directivesynopsis>

<directivesynopsis>
<name>VHostCGIMode</name>
<description>Determines whether the virtualhost can run
subprocesses, and the privileges available to subprocesses.</description>
<syntax>VHostCGIMode On|Off|Secure</syntax>
<default>VHostCGIMode On</default>
<contextlist><context>virtual host</context></contextlist>
<compatibility>Available on Solaris 10 and OpenSolaris with
non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>

<usage>
    <p>Determines whether the virtual host is allowed to run fork and exec,
    the <a
    href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
    >privileges</a> required to run subprocesses.  If this is set to
    <var>Off</var> the virtualhost is denied the privileges and will not
    be able to run traditional CGI programs or scripts under the traditional
    <module>mod_cgi</module>, nor similar external programs such as those
    created by <module>mod_ext_filter</module> or
    <directive module="mod_rewrite">RewriteMap</directive> <var>prog</var>.
    Note that it does not prevent CGI programs running under alternative
    process and security models such as <a href="http://fastcgi.coremail.cn"
    >mod_fcgid</a>, which is a recommended solution in Solaris.</p>
    <p>If set to <var>On</var> or <var>Secure</var>, the virtual host
    is permitted to run external programs and scripts as above.
    Setting <directive>VHostCGIMode</directive> <var>Secure</var> has
    the effect of denying privileges to the subprocesses, as described
    for <directive>VHostSecure</directive>.</p>
</usage>
</directivesynopsis>

<directivesynopsis>
<name>DTracePrivileges</name>
<description>Determines whether the privileges required by dtrace are enabled.</description>
<syntax>DTracePrivileges On|Off</syntax>
<default>DTracePrivileges Off</default>
<contextlist><context>server config</context></contextlist>
<compatibility>Available on Solaris 10 and OpenSolaris with
non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>

<usage>
    <p>This server-wide directive determines whether Apache will run with
    the <a
    href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
    >privileges</a> required to run
    <a href="http://www.sun.com/bigadmin/content/dtrace/">dtrace</a>.
    Note that <var>DTracePrivileges On</var> will not in itself
    activate DTrace, but <var>DTracePrivileges Off</var> will prevent
    it working.</p>
</usage>
</directivesynopsis>

<directivesynopsis>
<name>VHostPrivs</name>
<description>Assign arbitrary privileges to a virtual host.</description>
<syntax>VHostPrivs [+-]?<var>privilege-name</var> [[+-]?privilege-name] ...</syntax>
<default>None</default>
<contextlist><context>virtual host</context></contextlist>
<compatibility>Available on Solaris 10 and OpenSolaris with
non-threaded MPMs (<module>prefork</module> or custom MPM).
and when <module>mod_privileges</module> is compiled with the
<var>BIG_SECURITY_HOLE</var> compile-time option.</compatibility>

<usage>
    <p><directive>VHostPrivs</directive> can be used to assign arbitrary <a
    href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
    >privileges</a> to a virtual host.  Each <var>privilege-name</var>
    is the name of a Solaris privilege, such as <var>file_setid</var>
    or <var>sys_nfs</var>.</p>

    <p>A <var>privilege-name</var> may optionally be prefixed by
    + or -, which will respectively allow or deny a privilege.
    If used with neither + nor -, all privileges otherwise assigned
    to the virtualhost will be denied.  You can use this to override
    any of the default sets and construct your own privilege set.</p>

    <note type="warning"><title>Security</title>
    <p>This directive can open huge security holes in apache, up to
    and including running requests with root-level powers.  Do not
    use it unless you fully understand what you are doing!</p></note>
</usage>
</directivesynopsis>

<directivesynopsis>
<name>VHostCGIPrivs</name>
<description>Assign arbitrary privileges to subprocesses created
by a virtual host.</description>
<syntax>VHostPrivs [+-]?<var>privilege-name</var> [[+-]?privilege-name] ...</syntax>
<default>None</default>
<contextlist><context>virtual host</context></contextlist>
<compatibility>Available on Solaris 10 and OpenSolaris with
non-threaded MPMs (<module>prefork</module> or custom MPM)
and when <module>mod_privileges</module> is compiled with the
<var>BIG_SECURITY_HOLE</var> compile-time option.</compatibility>

<usage>
    <p><directive>VHostCGIPrivs</directive> can be used to assign arbitrary <a
    href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
    >privileges</a> to subprocesses created by a virtual host, as discussed
    under <directive>VHostCGIMode</directive>.  Each <var>privilege-name</var>
    is the name of a Solaris privilege, such as <var>file_setid</var>
    or <var>sys_nfs</var>.</p>

    <p>A <var>privilege-name</var> may optionally be prefixed by
    + or -, which will respectively allow or deny a privilege.
    If used with neither + nor -, all privileges otherwise assigned
    to the virtualhost will be denied.  You can use this to override
    any of the default sets and construct your own privilege set.</p>

    <note type="warning"><title>Security</title>
    <p>This directive can open huge security holes in apache subprocesses,
    up to and including running them with root-level powers.  Do not
    use it unless you fully understand what you are doing!</p></note>
</usage>
</directivesynopsis>


</modulesynopsis>
1	niq	713961	<?xml version="1.0"?>
2			<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
3			<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
4	rpluem	718015	<!-- $LastChangedRevision$ -->
5	niq	713961
6			<!--
7			Licensed to the Apache Software Foundation (ASF) under one or more
8			contributor license agreements. See the NOTICE file distributed with
9			this work for additional information regarding copyright ownership.
10			The ASF licenses this file to You under the Apache License, Version 2.0
11			(the "License"); you may not use this file except in compliance with
12			the License. You may obtain a copy of the License at
13
14			http://www.apache.org/licenses/LICENSE-2.0
15
16			Unless required by applicable law or agreed to in writing, software
17			distributed under the License is distributed on an "AS IS" BASIS,
18			WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19			See the License for the specific language governing permissions and
20			limitations under the License.
21			-->
22
23			<modulesynopsis metafile="mod_privileges.xml.meta">
24
25			<name>mod_privileges</name>
26			<description>Support for Solaris privileges and for running virtual hosts
27			under different user IDs.</description>
28			<status>Experimental</status>
29			<identifier>privileges_module</identifier>
30			<compatibility>Available in Apache 2.3 and up, on Solaris 10 and
31			OpenSolaris platforms</compatibility>
32
33			<summary>
34			<p>This module enables different Virtual Hosts to run with different
35			Unix™ <var>User</var> and <var>Group</var> IDs, and with different
36			<a href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
37			>Solaris Privileges</a>. In particular, it offers a solution to the
38			problem of privilege separation between different Virtual Hosts, first
39	trawick	758613	promised by the abandoned perchild MPM. It also offers other security
40			enhancements.</p>
41	niq	713961
42	trawick	758613	<p>Unlike perchild, <module>mod_privileges</module>
43	niq	713961	is not itself an MPM. It works <em>within</em> a processing model to
44			set privileges and User/Group <em>per request</em> in a running process.
45			It is therefore not compatible with a threaded MPM, and will refuse
46			to run under one.</p>
47
48			<p><module>mod_privileges</module> raises security issues similar to
49			those of <a href="../suexec.html">suexec</a>. But unlike suexec,
50			it applies not only to CGI programs but to the entire request processing
51			cycle, including in-process applications and subprocesses.
52			It is ideally suited to running PHP applications under <strong>mod_php</strong>,
53			which is also incompatible with threaded MPMs. It is also well-suited
54			to other in-process scripting applications such as <strong>mod_perl</strong>,
55			<strong>mod_python</strong>, and <strong>mod_ruby</strong>, and to
56			applications implemented in C as apache modules where privilege
57			separation is an issue.</p>
58
59			</summary>
60
61	niq	724959	<section id="security"><title>Security Considerations</title>
62			<p>There are three principal security concerns with mod_privileges:</p>
63			<ul><li>Running as a system user introduces the same security issues
64			as mod_suexec, and near-equivalents such as cgiwrap and suphp.</li>
65			<li>A privileges-aware malicious user extension (module or script)
66			could escalate its privileges to anything available to the
67			httpd process in any virtual host.</li>
68			<li>A privileges-aware malicious user extension (module or script)
69			could escalate privileges to set its user ID to another
70			system user (and/or group).</li>
71			</ul>
72
73			<p>The first is amply discussed in the suexec page and elsewhere, and
74			doesn't need repeating here. The second and third boil down to one
75			principle: ensure no untrusted privileges-aware code can be loaded.
76			</p>
77
78			<p>There are several ways privileges-aware code could be loaded into Apache:</p>
79			<ul>
80			<li>within the base system (e.g. mod_privileges itself if statically linked).</li>
81			<li>Loaded at startup using a LoadModule or LoadFile directive.</li>
82			<li>Loaded at startup indirectly by an application module such as mod_php.</li>
83			<li>Loaded at runtime by an application module or script.</li>
84			</ul>
85
86			<p>What gets loaded at startup is under the control of the sysop, and
87			relatively easy to deal with. A tool will be provided to audit your
88			installation. That leaves code loaded in the course of processing a
89			request as the threat. There is unfortunately no generic way apache
90			can control what a script running under an application module can load,
91			so you should use the security provided by your scripting module
92			and language.</p>
93
94			<section><title>Security with mod_php</title>
95
96			<p>There is no known PHP extension supporting Solaris privileges, so it
97			is unlikely that a script could escalate privileges unless it can
98			load external (non-PHP) privileges-aware code. However, you should
99			nevertheless audit your mod_php installation.</p>
100
101			<p>To prevent scripts loading privileges-aware code, PHP's dl() function
102			should be disabled. This is automatic in safe mode.</p>
103
104			</section>
105
106			<section><title>Security with mod_perl</title>
107
108			<p>Perl has an extension Sun::Solaris::Privileges that exposes the privileges
109			API to scripts. You should ensure this extension is NOT installed if you
110			have untrusted users.</p>
111
112			<p>You will also need to ensure that your users cannot load shared objects
113			(including PerlXS) from their own user directories, or that if this is
114			enabled, the entire user-space must be carefully audited.</p>
115			</section>
116
117			<section><title>Security with mod_python</title>
118
119			<p>There is no known Python extension supporting Solaris privileges, so it
120			is unlikely that a script could escalate privileges unless it can
121			load external (non-Python) privileges-aware code. However, you should
122			nevertheless audit your mod_ruby installation.</p>
123
124			<p>*** What are the issues of Python loading a shared object?</p>
125			</section>
126
127			<section><title>Security with mod_ruby</title>
128
129			<p>There is no known Ruby extension supporting Solaris privileges, so it
130			is unlikely that a script could escalate privileges unless it can
131			load external (non-Ruby) privileges-aware code. However, you should
132			nevertheless audit your mod_ruby installation.</p>
133
134			<p>*** What are the issues of Ruby loading a shared object?</p>
135			</section>
136
137			<section><title>Security with Lua/mod_wombat</title>
138
139			<p>???</p>
140			</section>
141			<section><title>Security with scripts</title>
142			<p>The security issues of mod_privileges do not affect scripts such as
143			traditional CGI, which run in a separate process. That includes
144			PHP, Perl, Python, Ruby, etc, run out-of-process.</p>
145			</section>
146			</section>
147	niq	713961	<directivesynopsis>
148			<name>VHostUser</name>
149			<description>Sets the User ID under which a virtual host runs.</description>
150			<syntax>VHostUser <var>unix-userid</var></syntax>
151			<default>Inherits the userid specified in
152			<directive module="mod_unixd">User</directive></default>
153			<contextlist><context>virtual host</context></contextlist>
154			<compatibility>Available on Solaris 10 and OpenSolaris with
155			non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>
156
157			<usage>
158			<p>The <directive>VHostUser</directive> directive sets the Unix userid
159			under which the server will process requests to a virtualhost.
160			The userid is set before the request is processed and reset afterwards
161			using <a
162			href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
163			>Solaris Privileges</a>. Since the setting applies to the
164			<em>process</em>, this is not compatible with threaded MPMs.</p>
165			<p><var>Unix-userid</var> is one of:</p>
166			<dl>
167			<dt>A username</dt>
168			<dd>Refers to the given user by name.</dd>
169
170			<dt><code>#</code> followed by a user number.</dt>
171			<dd>Refers to a user by its number.</dd>
172			</dl>
173
174			<note type="warning"><title>Security</title>
175			<p>This directive cannot be used to run apache as root!
176			Nevertheless, it opens potential security issues similar to
177			those discussed in the <a href="../suexec.html">suexec</a>
178			documentation.</p></note>
179			</usage>
180			<seealso><directive module="mod_unixd">User</directive></seealso>
181			<seealso><directive module="mod_suexec">SuexecUserGroup</directive></seealso>
182			</directivesynopsis>
183
184			<directivesynopsis>
185			<name>VHostGroup</name>
186			<description>Sets the Group ID under which a virtual host runs.</description>
187			<syntax>VHostGroup <var>unix-groupid</var></syntax>
188			<default>Inherits the group id specified in
189			<directive module="mod_unixd">Group</directive></default>
190			<contextlist><context>virtual host</context></contextlist>
191			<compatibility>Available on Solaris 10 and OpenSolaris with
192			non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>
193
194			<usage>
195			<p>The <directive>VHostGroup</directive> directive sets the Unix group
196			under which the server will process requests to a virtualhost.
197			The group is set before the request is processed and reset afterwards
198			using <a
199			href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
200			>Solaris Privileges</a>. Since the setting applies to the
201			<em>process</em>, this is not compatible with threaded MPMs.</p>
202			<p><var>Unix-group</var> is one of:</p>
203			<dl>
204			<dt>A group name</dt>
205			<dd>Refers to the given group by name.</dd>
206
207			<dt><code>#</code> followed by a group number.</dt>
208			<dd>Refers to a group by its number.</dd>
209			</dl>
210
211			<note type="warning"><title>Security</title>
212			<p>This directive cannot be used to run apache as root!
213			Nevertheless, it opens potential security issues similar to
214			those discussed in the <a href="../suexec.html">suexec</a>
215			documentation.</p></note>
216			</usage>
217			<seealso><directive module="mod_unixd">Group</directive></seealso>
218			<seealso><directive module="mod_suexec">SuexecUserGroup</directive></seealso>
219			</directivesynopsis>
220
221			<directivesynopsis>
222			<name>VHostSecure</name>
223			<description>Determines whether the server runs with enhanced security
224			for the virtualhost.</description>
225			<syntax>VHostSecure On\|Off</syntax>
226			<default>VHostSecure On</default>
227			<contextlist><context>virtual host</context></contextlist>
228			<compatibility>Available on Solaris 10 and OpenSolaris with
229			non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>
230
231			<usage>
232			<p>Determines whether the virtual host processes requests with
233			security enhanced by removal of <a
234			href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
235			>Privileges</a> that are rarely needed in a webserver, but which are
236			available by default to a normal Unix user and may therefore
237			be required by modules and applications. It is recommended that
238			you retain the default (On) unless it prevents an application running.
239			Since the setting applies to the <em>process</em>, this is not
240			compatible with threaded MPMs.</p>
241			<note><title>Note</title>
242			<p>If <directive>VHostSecure</directive> prevents an application
243			running, this may be a warning sign that the application should be
244			reviewed for security.</p></note>
245			</usage>
246			</directivesynopsis>
247
248			<directivesynopsis>
249			<name>VHostCGIMode</name>
250			<description>Determines whether the virtualhost can run
251			subprocesses, and the privileges available to subprocesses.</description>
252			<syntax>VHostCGIMode On\|Off\|Secure</syntax>
253			<default>VHostCGIMode On</default>
254			<contextlist><context>virtual host</context></contextlist>
255			<compatibility>Available on Solaris 10 and OpenSolaris with
256			non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>
257
258			<usage>
259			<p>Determines whether the virtual host is allowed to run fork and exec,
260			the <a
261			href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
262			>privileges</a> required to run subprocesses. If this is set to
263			<var>Off</var> the virtualhost is denied the privileges and will not
264			be able to run traditional CGI programs or scripts under the traditional
265			<module>mod_cgi</module>, nor similar external programs such as those
266			created by <module>mod_ext_filter</module> or
267			<directive module="mod_rewrite">RewriteMap</directive> <var>prog</var>.
268			Note that it does not prevent CGI programs running under alternative
269			process and security models such as <a href="http://fastcgi.coremail.cn"
270			>mod_fcgid</a>, which is a recommended solution in Solaris.</p>
271			<p>If set to <var>On</var> or <var>Secure</var>, the virtual host
272			is permitted to run external programs and scripts as above.
273			Setting <directive>VHostCGIMode</directive> <var>Secure</var> has
274			the effect of denying privileges to the subprocesses, as described
275			for <directive>VHostSecure</directive>.</p>
276			</usage>
277			</directivesynopsis>
278
279			<directivesynopsis>
280			<name>DTracePrivileges</name>
281			<description>Determines whether the privileges required by dtrace are enabled.</description>
282			<syntax>DTracePrivileges On\|Off</syntax>
283			<default>DTracePrivileges Off</default>
284			<contextlist><context>server config</context></contextlist>
285			<compatibility>Available on Solaris 10 and OpenSolaris with
286			non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>
287
288			<usage>
289			<p>This server-wide directive determines whether Apache will run with
290			the <a
291			href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
292			>privileges</a> required to run
293			<a href="http://www.sun.com/bigadmin/content/dtrace/">dtrace</a>.
294			Note that <var>DTracePrivileges On</var> will not in itself
295			activate DTrace, but <var>DTracePrivileges Off</var> will prevent
296			it working.</p>
297			</usage>
298			</directivesynopsis>
299
300			<directivesynopsis>
301			<name>VHostPrivs</name>
302			<description>Assign arbitrary privileges to a virtual host.</description>
303			<syntax>VHostPrivs [+-]?<var>privilege-name</var> [[+-]?privilege-name] ...</syntax>
304			<default>None</default>
305			<contextlist><context>virtual host</context></contextlist>
306			<compatibility>Available on Solaris 10 and OpenSolaris with
307			non-threaded MPMs (<module>prefork</module> or custom MPM).
308			and when <module>mod_privileges</module> is compiled with the
309			<var>BIG_SECURITY_HOLE</var> compile-time option.</compatibility>
310
311			<usage>
312			<p><directive>VHostPrivs</directive> can be used to assign arbitrary <a
313			href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
314			>privileges</a> to a virtual host. Each <var>privilege-name</var>
315			is the name of a Solaris privilege, such as <var>file_setid</var>
316			or <var>sys_nfs</var>.</p>
317
318			<p>A <var>privilege-name</var> may optionally be prefixed by
319			+ or -, which will respectively allow or deny a privilege.
320			If used with neither + nor -, all privileges otherwise assigned
321			to the virtualhost will be denied. You can use this to override
322			any of the default sets and construct your own privilege set.</p>
323
324			<note type="warning"><title>Security</title>
325			<p>This directive can open huge security holes in apache, up to
326			and including running requests with root-level powers. Do not
327			use it unless you fully understand what you are doing!</p></note>
328			</usage>
329			</directivesynopsis>
330
331			<directivesynopsis>
332			<name>VHostCGIPrivs</name>
333			<description>Assign arbitrary privileges to subprocesses created
334			by a virtual host.</description>
335			<syntax>VHostPrivs [+-]?<var>privilege-name</var> [[+-]?privilege-name] ...</syntax>
336			<default>None</default>
337			<contextlist><context>virtual host</context></contextlist>
338			<compatibility>Available on Solaris 10 and OpenSolaris with
339			non-threaded MPMs (<module>prefork</module> or custom MPM)
340			and when <module>mod_privileges</module> is compiled with the
341			<var>BIG_SECURITY_HOLE</var> compile-time option.</compatibility>
342
343			<usage>
344			<p><directive>VHostCGIPrivs</directive> can be used to assign arbitrary <a
345			href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
346			>privileges</a> to subprocesses created by a virtual host, as discussed
347			under <directive>VHostCGIMode</directive>. Each <var>privilege-name</var>
348			is the name of a Solaris privilege, such as <var>file_setid</var>
349			or <var>sys_nfs</var>.</p>
350
351			<p>A <var>privilege-name</var> may optionally be prefixed by
352			+ or -, which will respectively allow or deny a privilege.
353			If used with neither + nor -, all privileges otherwise assigned
354			to the virtualhost will be denied. You can use this to override
355			any of the default sets and construct your own privilege set.</p>
356
357			<note type="warning"><title>Security</title>
358			<p>This directive can open huge security holes in apache subprocesses,
359			up to and including running them with root-level powers. Do not
360			use it unless you fully understand what you are doing!</p></note>
361			</usage>
362			</directivesynopsis>
363
364
365
366			</modulesynopsis>