/[Apache-SVN]/httpd/httpd/trunk/docs/manual/mod/mod_privileges.xml
ViewVC logotype

Contents of /httpd/httpd/trunk/docs/manual/mod/mod_privileges.xml

Parent Directory Parent Directory | Revision Log Revision Log

Revision 713961 - (show annotations)
Fri Nov 14 09:48:39 2008 UTC (12 months, 1 week ago) by niq
File MIME type: text/xml
File size: 12846 byte(s) 
Introduce mod_privileges: a platform-specific module offering enhanced
security and a (limited) solution to the "perchild" problem.
1 <?xml version="1.0"?>
2 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
3 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
4 <!-- $LastChangedRevision: 703441 $ -->
5
6 <!--
7 Licensed to the Apache Software Foundation (ASF) under one or more
8 contributor license agreements. See the NOTICE file distributed with
9 this work for additional information regarding copyright ownership.
10 The ASF licenses this file to You under the Apache License, Version 2.0
11 (the "License"); you may not use this file except in compliance with
12 the License. You may obtain a copy of the License at
13
14 http://www.apache.org/licenses/LICENSE-2.0
15
16 Unless required by applicable law or agreed to in writing, software
17 distributed under the License is distributed on an "AS IS" BASIS,
18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 See the License for the specific language governing permissions and
20 limitations under the License.
21 -->
22
23 <modulesynopsis metafile="mod_privileges.xml.meta">
24
25 <name>mod_privileges</name>
26 <description>Support for Solaris privileges and for running virtual hosts
27 under different user IDs.</description>
28 <status>Experimental</status>
29 <identifier>privileges_module</identifier>
30 <compatibility>Available in Apache 2.3 and up, on Solaris 10 and
31 OpenSolaris platforms</compatibility>
32
33 <summary>
34 <p>This module enables different Virtual Hosts to run with different
35 Unix&trade; <var>User</var> and <var>Group</var> IDs, and with different
36 <a href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
37 >Solaris Privileges</a>. In particular, it offers a solution to the
38 problem of privilege separation between different Virtual Hosts, first
39 promised by the abandoned <module>perchild</module> MPM.
40 It also offers other security enhancements.</p>
41
42 <p>Unlike <module>perchild</module>, <module>mod_privileges</module>
43 is not itself an MPM. It works <em>within</em> a processing model to
44 set privileges and User/Group <em>per request</em> in a running process.
45 It is therefore not compatible with a threaded MPM, and will refuse
46 to run under one.</p>
47
48 <p><module>mod_privileges</module> raises security issues similar to
49 those of <a href="../suexec.html">suexec</a>. But unlike suexec,
50 it applies not only to CGI programs but to the entire request processing
51 cycle, including in-process applications and subprocesses.
52 It is ideally suited to running PHP applications under <strong>mod_php</strong>,
53 which is also incompatible with threaded MPMs. It is also well-suited
54 to other in-process scripting applications such as <strong>mod_perl</strong>,
55 <strong>mod_python</strong>, and <strong>mod_ruby</strong>, and to
56 applications implemented in C as apache modules where privilege
57 separation is an issue.</p>
58
59 </summary>
60
61 <directivesynopsis>
62 <name>VHostUser</name>
63 <description>Sets the User ID under which a virtual host runs.</description>
64 <syntax>VHostUser <var>unix-userid</var></syntax>
65 <default>Inherits the userid specified in
66 <directive module="mod_unixd">User</directive></default>
67 <contextlist><context>virtual host</context></contextlist>
68 <compatibility>Available on Solaris 10 and OpenSolaris with
69 non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>
70
71 <usage>
72 <p>The <directive>VHostUser</directive> directive sets the Unix userid
73 under which the server will process requests to a virtualhost.
74 The userid is set before the request is processed and reset afterwards
75 using <a
76 href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
77 >Solaris Privileges</a>. Since the setting applies to the
78 <em>process</em>, this is not compatible with threaded MPMs.</p>
79 <p><var>Unix-userid</var> is one of:</p>
80 <dl>
81 <dt>A username</dt>
82 <dd>Refers to the given user by name.</dd>
83
84 <dt><code>#</code> followed by a user number.</dt>
85 <dd>Refers to a user by its number.</dd>
86 </dl>
87
88 <note type="warning"><title>Security</title>
89 <p>This directive cannot be used to run apache as root!
90 Nevertheless, it opens potential security issues similar to
91 those discussed in the <a href="../suexec.html">suexec</a>
92 documentation.</p></note>
93 </usage>
94 <seealso><directive module="mod_unixd">User</directive></seealso>
95 <seealso><directive module="mod_suexec">SuexecUserGroup</directive></seealso>
96 </directivesynopsis>
97
98 <directivesynopsis>
99 <name>VHostGroup</name>
100 <description>Sets the Group ID under which a virtual host runs.</description>
101 <syntax>VHostGroup <var>unix-groupid</var></syntax>
102 <default>Inherits the group id specified in
103 <directive module="mod_unixd">Group</directive></default>
104 <contextlist><context>virtual host</context></contextlist>
105 <compatibility>Available on Solaris 10 and OpenSolaris with
106 non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>
107
108 <usage>
109 <p>The <directive>VHostGroup</directive> directive sets the Unix group
110 under which the server will process requests to a virtualhost.
111 The group is set before the request is processed and reset afterwards
112 using <a
113 href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
114 >Solaris Privileges</a>. Since the setting applies to the
115 <em>process</em>, this is not compatible with threaded MPMs.</p>
116 <p><var>Unix-group</var> is one of:</p>
117 <dl>
118 <dt>A group name</dt>
119 <dd>Refers to the given group by name.</dd>
120
121 <dt><code>#</code> followed by a group number.</dt>
122 <dd>Refers to a group by its number.</dd>
123 </dl>
124
125 <note type="warning"><title>Security</title>
126 <p>This directive cannot be used to run apache as root!
127 Nevertheless, it opens potential security issues similar to
128 those discussed in the <a href="../suexec.html">suexec</a>
129 documentation.</p></note>
130 </usage>
131 <seealso><directive module="mod_unixd">Group</directive></seealso>
132 <seealso><directive module="mod_suexec">SuexecUserGroup</directive></seealso>
133 </directivesynopsis>
134
135 <directivesynopsis>
136 <name>VHostSecure</name>
137 <description>Determines whether the server runs with enhanced security
138 for the virtualhost.</description>
139 <syntax>VHostSecure On|Off</syntax>
140 <default>VHostSecure On</default>
141 <contextlist><context>virtual host</context></contextlist>
142 <compatibility>Available on Solaris 10 and OpenSolaris with
143 non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>
144
145 <usage>
146 <p>Determines whether the virtual host processes requests with
147 security enhanced by removal of <a
148 href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
149 >Privileges</a> that are rarely needed in a webserver, but which are
150 available by default to a normal Unix user and may therefore
151 be required by modules and applications. It is recommended that
152 you retain the default (On) unless it prevents an application running.
153 Since the setting applies to the <em>process</em>, this is not
154 compatible with threaded MPMs.</p>
155 <note><title>Note</title>
156 <p>If <directive>VHostSecure</directive> prevents an application
157 running, this may be a warning sign that the application should be
158 reviewed for security.</p></note>
159 </usage>
160 </directivesynopsis>
161
162 <directivesynopsis>
163 <name>VHostCGIMode</name>
164 <description>Determines whether the virtualhost can run
165 subprocesses, and the privileges available to subprocesses.</description>
166 <syntax>VHostCGIMode On|Off|Secure</syntax>
167 <default>VHostCGIMode On</default>
168 <contextlist><context>virtual host</context></contextlist>
169 <compatibility>Available on Solaris 10 and OpenSolaris with
170 non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>
171
172 <usage>
173 <p>Determines whether the virtual host is allowed to run fork and exec,
174 the <a
175 href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
176 >privileges</a> required to run subprocesses. If this is set to
177 <var>Off</var> the virtualhost is denied the privileges and will not
178 be able to run traditional CGI programs or scripts under the traditional
179 <module>mod_cgi</module>, nor similar external programs such as those
180 created by <module>mod_ext_filter</module> or
181 <directive module="mod_rewrite">RewriteMap</directive> <var>prog</var>.
182 Note that it does not prevent CGI programs running under alternative
183 process and security models such as <a href="http://fastcgi.coremail.cn"
184 >mod_fcgid</a>, which is a recommended solution in Solaris.</p>
185 <p>If set to <var>On</var> or <var>Secure</var>, the virtual host
186 is permitted to run external programs and scripts as above.
187 Setting <directive>VHostCGIMode</directive> <var>Secure</var> has
188 the effect of denying privileges to the subprocesses, as described
189 for <directive>VHostSecure</directive>.</p>
190 </usage>
191 </directivesynopsis>
192
193 <directivesynopsis>
194 <name>DTracePrivileges</name>
195 <description>Determines whether the privileges required by dtrace are enabled.</description>
196 <syntax>DTracePrivileges On|Off</syntax>
197 <default>DTracePrivileges Off</default>
198 <contextlist><context>server config</context></contextlist>
199 <compatibility>Available on Solaris 10 and OpenSolaris with
200 non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>
201
202 <usage>
203 <p>This server-wide directive determines whether Apache will run with
204 the <a
205 href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
206 >privileges</a> required to run
207 <a href="http://www.sun.com/bigadmin/content/dtrace/">dtrace</a>.
208 Note that <var>DTracePrivileges On</var> will not in itself
209 activate DTrace, but <var>DTracePrivileges Off</var> will prevent
210 it working.</p>
211 </usage>
212 </directivesynopsis>
213
214 <directivesynopsis>
215 <name>VHostPrivs</name>
216 <description>Assign arbitrary privileges to a virtual host.</description>
217 <syntax>VHostPrivs [+-]?<var>privilege-name</var> [[+-]?privilege-name] ...</syntax>
218 <default>None</default>
219 <contextlist><context>virtual host</context></contextlist>
220 <compatibility>Available on Solaris 10 and OpenSolaris with
221 non-threaded MPMs (<module>prefork</module> or custom MPM).
222 and when <module>mod_privileges</module> is compiled with the
223 <var>BIG_SECURITY_HOLE</var> compile-time option.</compatibility>
224
225 <usage>
226 <p><directive>VHostPrivs</directive> can be used to assign arbitrary <a
227 href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
228 >privileges</a> to a virtual host. Each <var>privilege-name</var>
229 is the name of a Solaris privilege, such as <var>file_setid</var>
230 or <var>sys_nfs</var>.</p>
231
232 <p>A <var>privilege-name</var> may optionally be prefixed by
233 + or -, which will respectively allow or deny a privilege.
234 If used with neither + nor -, all privileges otherwise assigned
235 to the virtualhost will be denied. You can use this to override
236 any of the default sets and construct your own privilege set.</p>
237
238 <note type="warning"><title>Security</title>
239 <p>This directive can open huge security holes in apache, up to
240 and including running requests with root-level powers. Do not
241 use it unless you fully understand what you are doing!</p></note>
242 </usage>
243 </directivesynopsis>
244
245 <directivesynopsis>
246 <name>VHostCGIPrivs</name>
247 <description>Assign arbitrary privileges to subprocesses created
248 by a virtual host.</description>
249 <syntax>VHostPrivs [+-]?<var>privilege-name</var> [[+-]?privilege-name] ...</syntax>
250 <default>None</default>
251 <contextlist><context>virtual host</context></contextlist>
252 <compatibility>Available on Solaris 10 and OpenSolaris with
253 non-threaded MPMs (<module>prefork</module> or custom MPM)
254 and when <module>mod_privileges</module> is compiled with the
255 <var>BIG_SECURITY_HOLE</var> compile-time option.</compatibility>
256
257 <usage>
258 <p><directive>VHostCGIPrivs</directive> can be used to assign arbitrary <a
259 href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
260 >privileges</a> to subprocesses created by a virtual host, as discussed
261 under <directive>VHostCGIMode</directive>. Each <var>privilege-name</var>
262 is the name of a Solaris privilege, such as <var>file_setid</var>
263 or <var>sys_nfs</var>.</p>
264
265 <p>A <var>privilege-name</var> may optionally be prefixed by
266 + or -, which will respectively allow or deny a privilege.
267 If used with neither + nor -, all privileges otherwise assigned
268 to the virtualhost will be denied. You can use this to override
269 any of the default sets and construct your own privilege set.</p>
270
271 <note type="warning"><title>Security</title>
272 <p>This directive can open huge security holes in apache subprocesses,
273 up to and including running them with root-level powers. Do not
274 use it unless you fully understand what you are doing!</p></note>
275 </usage>
276 </directivesynopsis>
277
278
279
280 </modulesynopsis>
apache@apache.org
 ViewVC Help
Powered by ViewVC 1.1.2