| 58 |
|
|
| 59 |
</summary> |
</summary> |
| 60 |
|
|
| 61 |
|
<section id="security"><title>Security Considerations</title> |
| 62 |
|
<p>There are three principal security concerns with mod_privileges:</p> |
| 63 |
|
<ul><li>Running as a system user introduces the same security issues |
| 64 |
|
as mod_suexec, and near-equivalents such as cgiwrap and suphp.</li> |
| 65 |
|
<li>A privileges-aware malicious user extension (module or script) |
| 66 |
|
could escalate its privileges to anything available to the |
| 67 |
|
httpd process in any virtual host.</li> |
| 68 |
|
<li>A privileges-aware malicious user extension (module or script) |
| 69 |
|
could escalate privileges to set its user ID to another |
| 70 |
|
system user (and/or group).</li> |
| 71 |
|
</ul> |
| 72 |
|
|
| 73 |
|
<p>The first is amply discussed in the suexec page and elsewhere, and |
| 74 |
|
doesn't need repeating here. The second and third boil down to one |
| 75 |
|
principle: ensure no untrusted privileges-aware code can be loaded. |
| 76 |
|
</p> |
| 77 |
|
|
| 78 |
|
<p>There are several ways privileges-aware code could be loaded into Apache:</p> |
| 79 |
|
<ul> |
| 80 |
|
<li>within the base system (e.g. mod_privileges itself if statically linked).</li> |
| 81 |
|
<li>Loaded at startup using a LoadModule or LoadFile directive.</li> |
| 82 |
|
<li>Loaded at startup indirectly by an application module such as mod_php.</li> |
| 83 |
|
<li>Loaded at runtime by an application module or script.</li> |
| 84 |
|
</ul> |
| 85 |
|
|
| 86 |
|
<p>What gets loaded at startup is under the control of the sysop, and |
| 87 |
|
relatively easy to deal with. A tool will be provided to audit your |
| 88 |
|
installation. That leaves code loaded in the course of processing a |
| 89 |
|
request as the threat. There is unfortunately no generic way apache |
| 90 |
|
can control what a script running under an application module can load, |
| 91 |
|
so you should use the security provided by your scripting module |
| 92 |
|
and language.</p> |
| 93 |
|
|
| 94 |
|
<section><title>Security with mod_php</title> |
| 95 |
|
|
| 96 |
|
<p>There is no known PHP extension supporting Solaris privileges, so it |
| 97 |
|
is unlikely that a script could escalate privileges unless it can |
| 98 |
|
load external (non-PHP) privileges-aware code. However, you should |
| 99 |
|
nevertheless audit your mod_php installation.</p> |
| 100 |
|
|
| 101 |
|
<p>To prevent scripts loading privileges-aware code, PHP's dl() function |
| 102 |
|
should be disabled. This is automatic in safe mode.</p> |
| 103 |
|
|
| 104 |
|
</section> |
| 105 |
|
|
| 106 |
|
<section><title>Security with mod_perl</title> |
| 107 |
|
|
| 108 |
|
<p>Perl has an extension Sun::Solaris::Privileges that exposes the privileges |
| 109 |
|
API to scripts. You should ensure this extension is NOT installed if you |
| 110 |
|
have untrusted users.</p> |
| 111 |
|
|
| 112 |
|
<p>You will also need to ensure that your users cannot load shared objects |
| 113 |
|
(including PerlXS) from their own user directories, or that if this is |
| 114 |
|
enabled, the entire user-space must be carefully audited.</p> |
| 115 |
|
</section> |
| 116 |
|
|
| 117 |
|
<section><title>Security with mod_python</title> |
| 118 |
|
|
| 119 |
|
<p>There is no known Python extension supporting Solaris privileges, so it |
| 120 |
|
is unlikely that a script could escalate privileges unless it can |
| 121 |
|
load external (non-Python) privileges-aware code. However, you should |
| 122 |
|
nevertheless audit your mod_ruby installation.</p> |
| 123 |
|
|
| 124 |
|
<p>*** What are the issues of Python loading a shared object?</p> |
| 125 |
|
</section> |
| 126 |
|
|
| 127 |
|
<section><title>Security with mod_ruby</title> |
| 128 |
|
|
| 129 |
|
<p>There is no known Ruby extension supporting Solaris privileges, so it |
| 130 |
|
is unlikely that a script could escalate privileges unless it can |
| 131 |
|
load external (non-Ruby) privileges-aware code. However, you should |
| 132 |
|
nevertheless audit your mod_ruby installation.</p> |
| 133 |
|
|
| 134 |
|
<p>*** What are the issues of Ruby loading a shared object?</p> |
| 135 |
|
</section> |
| 136 |
|
|
| 137 |
|
<section><title>Security with Lua/mod_wombat</title> |
| 138 |
|
|
| 139 |
|
<p>???</p> |
| 140 |
|
</section> |
| 141 |
|
<section><title>Security with scripts</title> |
| 142 |
|
<p>The security issues of mod_privileges do not affect scripts such as |
| 143 |
|
traditional CGI, which run in a separate process. That includes |
| 144 |
|
PHP, Perl, Python, Ruby, etc, run out-of-process.</p> |
| 145 |
|
</section> |
| 146 |
|
</section> |
| 147 |
<directivesynopsis> |
<directivesynopsis> |
| 148 |
<name>VHostUser</name> |
<name>VHostUser</name> |
| 149 |
<description>Sets the User ID under which a virtual host runs.</description> |
<description>Sets the User ID under which a virtual host runs.</description> |
Parent Directory
| 
Revision Log
| 
Patch