manual/mod/mod_privileges.xml

<?xml version="1.0"?>
<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
<!-- $LastChangedRevision$ -->

<!--
 Licensed to the Apache Software Foundation (ASF) under one or more
 contributor license agreements.  See the NOTICE file distributed with
 this work for additional information regarding copyright ownership.
 The ASF licenses this file to You under the Apache License, Version 2.0
 (the "License"); you may not use this file except in compliance with
 the License.  You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
-->

<modulesynopsis metafile="mod_privileges.xml.meta">

<name>mod_privileges</name>
<description>Support for Solaris privileges and for running virtual hosts
under different user IDs.</description>
<status>Experimental</status>
<identifier>privileges_module</identifier>
<compatibility>Available in Apache 2.3 and up, on Solaris 10 and
OpenSolaris platforms</compatibility>

<summary>
<p>This module enables different Virtual Hosts to run with different
Unix&trade; <var>User</var> and <var>Group</var> IDs, and with different
<a href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
>Solaris Privileges</a>.  In particular, it offers a solution to the
problem of privilege separation between different Virtual Hosts, first
promised by the abandoned perchild MPM.  It also offers other security
enhancements.</p>

<p>Unlike perchild, <module>mod_privileges</module>
is not itself an MPM.  It works <em>within</em> a processing model to
set privileges and User/Group <em>per request</em> in a running process.
It is therefore not compatible with a threaded MPM, and will refuse
to run under one.</p>

<p><module>mod_privileges</module> raises security issues similar to
those of <a href="../suexec.html">suexec</a>.  But unlike suexec,
it applies not only to CGI programs but to the entire request processing
cycle, including in-process applications and subprocesses.
It is ideally suited to running PHP applications under <strong>mod_php</strong>,
which is also incompatible with threaded MPMs.  It is also well-suited
to other in-process scripting applications such as <strong>mod_perl</strong>,
<strong>mod_python</strong>, and <strong>mod_ruby</strong>, and to
applications implemented in C as apache modules where privilege
separation is an issue.</p>

</summary>

<section id="security"><title>Security Considerations</title>
<p>There are three principal security concerns with mod_privileges:</p>
<ul><li>Running as a system user introduces the same security issues
    as mod_suexec, and near-equivalents such as cgiwrap and suphp.</li>
<li>A privileges-aware malicious user extension (module or script)
    could escalate its privileges to anything available to the
    httpd process in any virtual host.</li>
<li>A privileges-aware malicious user extension (module or script)
    could escalate privileges to set its user ID to another
    system user (and/or group).</li>
</ul>

<p>The first is amply discussed in the suexec page and elsewhere, and
doesn't need repeating here.  The second and third boil down to one
principle: ensure no untrusted privileges-aware code can be loaded.
</p>

<p>There are several ways privileges-aware code could be loaded into Apache:</p>
<ul>
<li>within the base system (e.g. mod_privileges itself if statically linked).</li>
<li>Loaded at startup using a LoadModule or LoadFile directive.</li>
<li>Loaded at startup indirectly by an application module such as mod_php.</li>
<li>Loaded at runtime by an application module or script.</li>
</ul>

<p>What gets loaded at startup is under the control of the sysop, and
relatively easy to deal with.  A tool will be provided to audit your
installation.  That leaves code loaded in the course of processing a
request as the threat.  There is unfortunately no generic way apache
can control what a script running under an application module can load,
so you should use the security provided by your scripting module
and language.</p>

<section><title>Security with mod_php</title>

<p>There is no known PHP extension supporting Solaris privileges, so it
is unlikely that a script could escalate privileges unless it can
load external (non-PHP) privileges-aware code.  However, you should
nevertheless audit your mod_php installation.</p>

<p>To prevent scripts loading privileges-aware code, PHP's dl() function
should be disabled.  This is automatic in safe mode.</p>

</section>

<section><title>Security with mod_perl</title>

<p>Perl has an extension Sun::Solaris::Privileges that exposes the privileges
API to scripts.  You should ensure this extension is NOT installed if you
have untrusted users.</p>

<p>You will also need to ensure that your users cannot load shared objects
(including PerlXS) from their own user directories, or that if this is
enabled, the entire user-space must be carefully audited.</p>
</section>

<section><title>Security with mod_python</title>

<p>There is no known Python extension supporting Solaris privileges, so it
is unlikely that a script could escalate privileges unless it can
load external (non-Python) privileges-aware code.  However, you should
nevertheless audit your mod_python installation.</p>

<p>*** What are the issues of Python loading a shared object?</p>
</section>

<section><title>Security with mod_ruby</title>

<p>There is no known Ruby extension supporting Solaris privileges, so it
is unlikely that a script could escalate privileges unless it can
load external (non-Ruby) privileges-aware code.  However, you should
nevertheless audit your mod_ruby installation.</p>

<p>*** What are the issues of Ruby loading a shared object?</p>
</section>

<section><title>Security with Lua/mod_wombat</title>

<p>???</p>
</section>
<section><title>Security with scripts</title>
<p>The security issues of mod_privileges do not affect scripts such as
traditional CGI, which run in a separate process.  That includes
PHP, Perl, Python, Ruby, etc, run out-of-process.</p>
</section>
</section>
<directivesynopsis>
<name>VHostUser</name>
<description>Sets the User ID under which a virtual host runs.</description>
<syntax>VHostUser <var>unix-userid</var></syntax>
<default>Inherits the userid specified in
<directive module="mod_unixd">User</directive></default>
<contextlist><context>virtual host</context></contextlist>
<compatibility>Available on Solaris 10 and OpenSolaris with
non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>

<usage>
    <p>The <directive>VHostUser</directive> directive sets the Unix userid
    under which the server will process requests to a virtualhost.
    The userid is set before the request is processed and reset afterwards
    using <a
    href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
    >Solaris Privileges</a>.  Since the setting applies to the
    <em>process</em>, this is not compatible with threaded MPMs.</p>
    <p><var>Unix-userid</var> is one of:</p>
    <dl>
      <dt>A username</dt>
      <dd>Refers to the given user by name.</dd>

      <dt><code>#</code> followed by a user number.</dt>
      <dd>Refers to a user by its number.</dd>
    </dl>

    <note type="warning"><title>Security</title>
    <p>This directive cannot be used to run apache as root!
    Nevertheless, it opens potential security issues similar to
    those discussed in the <a href="../suexec.html">suexec</a>
    documentation.</p></note>
</usage>
<seealso><directive module="mod_unixd">User</directive></seealso>
<seealso><directive module="mod_suexec">SuexecUserGroup</directive></seealso>
</directivesynopsis>

<directivesynopsis>
<name>VHostGroup</name>
<description>Sets the Group ID under which a virtual host runs.</description>
<syntax>VHostGroup <var>unix-groupid</var></syntax>
<default>Inherits the group id specified in
<directive module="mod_unixd">Group</directive></default>
<contextlist><context>virtual host</context></contextlist>
<compatibility>Available on Solaris 10 and OpenSolaris with
non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>

<usage>
    <p>The <directive>VHostGroup</directive> directive sets the Unix group
    under which the server will process requests to a virtualhost.
    The group is set before the request is processed and reset afterwards
    using <a
    href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
    >Solaris Privileges</a>.  Since the setting applies to the
    <em>process</em>, this is not compatible with threaded MPMs.</p>
    <p><var>Unix-group</var> is one of:</p>
    <dl>
      <dt>A group name</dt>
      <dd>Refers to the given group by name.</dd>

      <dt><code>#</code> followed by a group number.</dt>
      <dd>Refers to a group by its number.</dd>
    </dl>

    <note type="warning"><title>Security</title>
    <p>This directive cannot be used to run apache as root!
    Nevertheless, it opens potential security issues similar to
    those discussed in the <a href="../suexec.html">suexec</a>
    documentation.</p></note>
</usage>
<seealso><directive module="mod_unixd">Group</directive></seealso>
<seealso><directive module="mod_suexec">SuexecUserGroup</directive></seealso>
</directivesynopsis>

<directivesynopsis>
<name>VHostSecure</name>
<description>Determines whether the server runs with enhanced security
for the virtualhost.</description>
<syntax>VHostSecure On|Off</syntax>
<default>VHostSecure On</default>
<contextlist><context>virtual host</context></contextlist>
<compatibility>Available on Solaris 10 and OpenSolaris with
non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>

<usage>
    <p>Determines whether the virtual host processes requests with
    security enhanced by removal of <a
    href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
    >Privileges</a> that are rarely needed in a webserver, but which are
    available by default to a normal Unix user and may therefore
    be required by modules and applications.  It is recommended that
    you retain the default (On) unless it prevents an application running.
    Since the setting applies to the <em>process</em>, this is not
    compatible with threaded MPMs.</p>
    <note><title>Note</title>
    <p>If <directive>VHostSecure</directive> prevents an application
    running, this may be a warning sign that the application should be
    reviewed for security.</p></note>
</usage>
</directivesynopsis>

<directivesynopsis>
<name>VHostCGIMode</name>
<description>Determines whether the virtualhost can run
subprocesses, and the privileges available to subprocesses.</description>
<syntax>VHostCGIMode On|Off|Secure</syntax>
<default>VHostCGIMode On</default>
<contextlist><context>virtual host</context></contextlist>
<compatibility>Available on Solaris 10 and OpenSolaris with
non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>

<usage>
    <p>Determines whether the virtual host is allowed to run fork and exec,
    the <a
    href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
    >privileges</a> required to run subprocesses.  If this is set to
    <var>Off</var> the virtualhost is denied the privileges and will not
    be able to run traditional CGI programs or scripts under the traditional
    <module>mod_cgi</module>, nor similar external programs such as those
    created by <module>mod_ext_filter</module> or
    <directive module="mod_rewrite">RewriteMap</directive> <var>prog</var>.
    Note that it does not prevent CGI programs running under alternative
    process and security models such as <a href="http://fastcgi.coremail.cn"
    >mod_fcgid</a>, which is a recommended solution in Solaris.</p>
    <p>If set to <var>On</var> or <var>Secure</var>, the virtual host
    is permitted to run external programs and scripts as above.
    Setting <directive>VHostCGIMode</directive> <var>Secure</var> has
    the effect of denying privileges to the subprocesses, as described
    for <directive>VHostSecure</directive>.</p>
</usage>
</directivesynopsis>

<directivesynopsis>
<name>DTracePrivileges</name>
<description>Determines whether the privileges required by dtrace are enabled.</description>
<syntax>DTracePrivileges On|Off</syntax>
<default>DTracePrivileges Off</default>
<contextlist><context>server config</context></contextlist>
<compatibility>Available on Solaris 10 and OpenSolaris with
non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>

<usage>
    <p>This server-wide directive determines whether Apache will run with
    the <a
    href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
    >privileges</a> required to run
    <a href="http://www.sun.com/bigadmin/content/dtrace/">dtrace</a>.
    Note that <var>DTracePrivileges On</var> will not in itself
    activate DTrace, but <var>DTracePrivileges Off</var> will prevent
    it working.</p>
</usage>
</directivesynopsis>

<directivesynopsis>
<name>VHostPrivs</name>
<description>Assign arbitrary privileges to a virtual host.</description>
<syntax>VHostPrivs [+-]?<var>privilege-name</var> [[+-]?privilege-name] ...</syntax>
<default>None</default>
<contextlist><context>virtual host</context></contextlist>
<compatibility>Available on Solaris 10 and OpenSolaris with
non-threaded MPMs (<module>prefork</module> or custom MPM)
and when <module>mod_privileges</module> is compiled with the
<var>BIG_SECURITY_HOLE</var> compile-time option.</compatibility>

<usage>
    <p><directive>VHostPrivs</directive> can be used to assign arbitrary <a
    href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
    >privileges</a> to a virtual host.  Each <var>privilege-name</var>
    is the name of a Solaris privilege, such as <var>file_setid</var>
    or <var>sys_nfs</var>.</p>

    <p>A <var>privilege-name</var> may optionally be prefixed by
    + or -, which will respectively allow or deny a privilege.
    If used with neither + nor -, all privileges otherwise assigned
    to the virtualhost will be denied.  You can use this to override
    any of the default sets and construct your own privilege set.</p>

    <note type="warning"><title>Security</title>
    <p>This directive can open huge security holes in apache, up to
    and including running requests with root-level powers.  Do not
    use it unless you fully understand what you are doing!</p></note>
</usage>
</directivesynopsis>

<directivesynopsis>
<name>VHostCGIPrivs</name>
<description>Assign arbitrary privileges to subprocesses created
by a virtual host.</description>
<syntax>VHostPrivs [+-]?<var>privilege-name</var> [[+-]?privilege-name] ...</syntax>
<default>None</default>
<contextlist><context>virtual host</context></contextlist>
<compatibility>Available on Solaris 10 and OpenSolaris with
non-threaded MPMs (<module>prefork</module> or custom MPM)
and when <module>mod_privileges</module> is compiled with the
<var>BIG_SECURITY_HOLE</var> compile-time option.</compatibility>

<usage>
    <p><directive>VHostCGIPrivs</directive> can be used to assign arbitrary <a
    href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
    >privileges</a> to subprocesses created by a virtual host, as discussed
    under <directive>VHostCGIMode</directive>.  Each <var>privilege-name</var>
    is the name of a Solaris privilege, such as <var>file_setid</var>
    or <var>sys_nfs</var>.</p>

    <p>A <var>privilege-name</var> may optionally be prefixed by
    + or -, which will respectively allow or deny a privilege.
    If used with neither + nor -, all privileges otherwise assigned
    to the virtualhost will be denied.  You can use this to override
    any of the default sets and construct your own privilege set.</p>

    <note type="warning"><title>Security</title>
    <p>This directive can open huge security holes in apache subprocesses,
    up to and including running them with root-level powers.  Do not
    use it unless you fully understand what you are doing!</p></note>
</usage>
</directivesynopsis>


</modulesynopsis>
1	<?xml version="1.0"?>
2	<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
3	<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
4	<!-- $LastChangedRevision$ -->
5
6	<!--
7	Licensed to the Apache Software Foundation (ASF) under one or more
8	contributor license agreements. See the NOTICE file distributed with
9	this work for additional information regarding copyright ownership.
10	The ASF licenses this file to You under the Apache License, Version 2.0
11	(the "License"); you may not use this file except in compliance with
12	the License. You may obtain a copy of the License at
13
14	http://www.apache.org/licenses/LICENSE-2.0
15
16	Unless required by applicable law or agreed to in writing, software
17	distributed under the License is distributed on an "AS IS" BASIS,
18	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19	See the License for the specific language governing permissions and
20	limitations under the License.
21	-->
22
23	<modulesynopsis metafile="mod_privileges.xml.meta">
24
25	<name>mod_privileges</name>
26	<description>Support for Solaris privileges and for running virtual hosts
27	under different user IDs.</description>
28	<status>Experimental</status>
29	<identifier>privileges_module</identifier>
30	<compatibility>Available in Apache 2.3 and up, on Solaris 10 and
31	OpenSolaris platforms</compatibility>
32
33	<summary>
34	<p>This module enables different Virtual Hosts to run with different
35	Unix™ <var>User</var> and <var>Group</var> IDs, and with different
36	<a href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
37	>Solaris Privileges</a>. In particular, it offers a solution to the
38	problem of privilege separation between different Virtual Hosts, first
39	promised by the abandoned perchild MPM. It also offers other security
40	enhancements.</p>
41
42	<p>Unlike perchild, <module>mod_privileges</module>
43	is not itself an MPM. It works <em>within</em> a processing model to
44	set privileges and User/Group <em>per request</em> in a running process.
45	It is therefore not compatible with a threaded MPM, and will refuse
46	to run under one.</p>
47
48	<p><module>mod_privileges</module> raises security issues similar to
49	those of <a href="../suexec.html">suexec</a>. But unlike suexec,
50	it applies not only to CGI programs but to the entire request processing
51	cycle, including in-process applications and subprocesses.
52	It is ideally suited to running PHP applications under <strong>mod_php</strong>,
53	which is also incompatible with threaded MPMs. It is also well-suited
54	to other in-process scripting applications such as <strong>mod_perl</strong>,
55	<strong>mod_python</strong>, and <strong>mod_ruby</strong>, and to
56	applications implemented in C as apache modules where privilege
57	separation is an issue.</p>
58
59	</summary>
60
61	<section id="security"><title>Security Considerations</title>
62	<p>There are three principal security concerns with mod_privileges:</p>
63	<ul><li>Running as a system user introduces the same security issues
64	as mod_suexec, and near-equivalents such as cgiwrap and suphp.</li>
65	<li>A privileges-aware malicious user extension (module or script)
66	could escalate its privileges to anything available to the
67	httpd process in any virtual host.</li>
68	<li>A privileges-aware malicious user extension (module or script)
69	could escalate privileges to set its user ID to another
70	system user (and/or group).</li>
71	</ul>
72
73	<p>The first is amply discussed in the suexec page and elsewhere, and
74	doesn't need repeating here. The second and third boil down to one
75	principle: ensure no untrusted privileges-aware code can be loaded.
76	</p>
77
78	<p>There are several ways privileges-aware code could be loaded into Apache:</p>
79	<ul>
80	<li>within the base system (e.g. mod_privileges itself if statically linked).</li>
81	<li>Loaded at startup using a LoadModule or LoadFile directive.</li>
82	<li>Loaded at startup indirectly by an application module such as mod_php.</li>
83	<li>Loaded at runtime by an application module or script.</li>
84	</ul>
85
86	<p>What gets loaded at startup is under the control of the sysop, and
87	relatively easy to deal with. A tool will be provided to audit your
88	installation. That leaves code loaded in the course of processing a
89	request as the threat. There is unfortunately no generic way apache
90	can control what a script running under an application module can load,
91	so you should use the security provided by your scripting module
92	and language.</p>
93
94	<section><title>Security with mod_php</title>
95
96	<p>There is no known PHP extension supporting Solaris privileges, so it
97	is unlikely that a script could escalate privileges unless it can
98	load external (non-PHP) privileges-aware code. However, you should
99	nevertheless audit your mod_php installation.</p>
100
101	<p>To prevent scripts loading privileges-aware code, PHP's dl() function
102	should be disabled. This is automatic in safe mode.</p>
103
104	</section>
105
106	<section><title>Security with mod_perl</title>
107
108	<p>Perl has an extension Sun::Solaris::Privileges that exposes the privileges
109	API to scripts. You should ensure this extension is NOT installed if you
110	have untrusted users.</p>
111
112	<p>You will also need to ensure that your users cannot load shared objects
113	(including PerlXS) from their own user directories, or that if this is
114	enabled, the entire user-space must be carefully audited.</p>
115	</section>
116
117	<section><title>Security with mod_python</title>
118
119	<p>There is no known Python extension supporting Solaris privileges, so it
120	is unlikely that a script could escalate privileges unless it can
121	load external (non-Python) privileges-aware code. However, you should
122	nevertheless audit your mod_python installation.</p>
123
124	<p>*** What are the issues of Python loading a shared object?</p>
125	</section>
126
127	<section><title>Security with mod_ruby</title>
128
129	<p>There is no known Ruby extension supporting Solaris privileges, so it
130	is unlikely that a script could escalate privileges unless it can
131	load external (non-Ruby) privileges-aware code. However, you should
132	nevertheless audit your mod_ruby installation.</p>
133
134	<p>*** What are the issues of Ruby loading a shared object?</p>
135	</section>
136
137	<section><title>Security with Lua/mod_wombat</title>
138
139	<p>???</p>
140	</section>
141	<section><title>Security with scripts</title>
142	<p>The security issues of mod_privileges do not affect scripts such as
143	traditional CGI, which run in a separate process. That includes
144	PHP, Perl, Python, Ruby, etc, run out-of-process.</p>
145	</section>
146	</section>
147	<directivesynopsis>
148	<name>VHostUser</name>
149	<description>Sets the User ID under which a virtual host runs.</description>
150	<syntax>VHostUser <var>unix-userid</var></syntax>
151	<default>Inherits the userid specified in
152	<directive module="mod_unixd">User</directive></default>
153	<contextlist><context>virtual host</context></contextlist>
154	<compatibility>Available on Solaris 10 and OpenSolaris with
155	non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>
156
157	<usage>
158	<p>The <directive>VHostUser</directive> directive sets the Unix userid
159	under which the server will process requests to a virtualhost.
160	The userid is set before the request is processed and reset afterwards
161	using <a
162	href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
163	>Solaris Privileges</a>. Since the setting applies to the
164	<em>process</em>, this is not compatible with threaded MPMs.</p>
165	<p><var>Unix-userid</var> is one of:</p>
166	<dl>
167	<dt>A username</dt>
168	<dd>Refers to the given user by name.</dd>
169
170	<dt><code>#</code> followed by a user number.</dt>
171	<dd>Refers to a user by its number.</dd>
172	</dl>
173
174	<note type="warning"><title>Security</title>
175	<p>This directive cannot be used to run apache as root!
176	Nevertheless, it opens potential security issues similar to
177	those discussed in the <a href="../suexec.html">suexec</a>
178	documentation.</p></note>
179	</usage>
180	<seealso><directive module="mod_unixd">User</directive></seealso>
181	<seealso><directive module="mod_suexec">SuexecUserGroup</directive></seealso>
182	</directivesynopsis>
183
184	<directivesynopsis>
185	<name>VHostGroup</name>
186	<description>Sets the Group ID under which a virtual host runs.</description>
187	<syntax>VHostGroup <var>unix-groupid</var></syntax>
188	<default>Inherits the group id specified in
189	<directive module="mod_unixd">Group</directive></default>
190	<contextlist><context>virtual host</context></contextlist>
191	<compatibility>Available on Solaris 10 and OpenSolaris with
192	non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>
193
194	<usage>
195	<p>The <directive>VHostGroup</directive> directive sets the Unix group
196	under which the server will process requests to a virtualhost.
197	The group is set before the request is processed and reset afterwards
198	using <a
199	href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
200	>Solaris Privileges</a>. Since the setting applies to the
201	<em>process</em>, this is not compatible with threaded MPMs.</p>
202	<p><var>Unix-group</var> is one of:</p>
203	<dl>
204	<dt>A group name</dt>
205	<dd>Refers to the given group by name.</dd>
206
207	<dt><code>#</code> followed by a group number.</dt>
208	<dd>Refers to a group by its number.</dd>
209	</dl>
210
211	<note type="warning"><title>Security</title>
212	<p>This directive cannot be used to run apache as root!
213	Nevertheless, it opens potential security issues similar to
214	those discussed in the <a href="../suexec.html">suexec</a>
215	documentation.</p></note>
216	</usage>
217	<seealso><directive module="mod_unixd">Group</directive></seealso>
218	<seealso><directive module="mod_suexec">SuexecUserGroup</directive></seealso>
219	</directivesynopsis>
220
221	<directivesynopsis>
222	<name>VHostSecure</name>
223	<description>Determines whether the server runs with enhanced security
224	for the virtualhost.</description>
225	<syntax>VHostSecure On\|Off</syntax>
226	<default>VHostSecure On</default>
227	<contextlist><context>virtual host</context></contextlist>
228	<compatibility>Available on Solaris 10 and OpenSolaris with
229	non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>
230
231	<usage>
232	<p>Determines whether the virtual host processes requests with
233	security enhanced by removal of <a
234	href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
235	>Privileges</a> that are rarely needed in a webserver, but which are
236	available by default to a normal Unix user and may therefore
237	be required by modules and applications. It is recommended that
238	you retain the default (On) unless it prevents an application running.
239	Since the setting applies to the <em>process</em>, this is not
240	compatible with threaded MPMs.</p>
241	<note><title>Note</title>
242	<p>If <directive>VHostSecure</directive> prevents an application
243	running, this may be a warning sign that the application should be
244	reviewed for security.</p></note>
245	</usage>
246	</directivesynopsis>
247
248	<directivesynopsis>
249	<name>VHostCGIMode</name>
250	<description>Determines whether the virtualhost can run
251	subprocesses, and the privileges available to subprocesses.</description>
252	<syntax>VHostCGIMode On\|Off\|Secure</syntax>
253	<default>VHostCGIMode On</default>
254	<contextlist><context>virtual host</context></contextlist>
255	<compatibility>Available on Solaris 10 and OpenSolaris with
256	non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>
257
258	<usage>
259	<p>Determines whether the virtual host is allowed to run fork and exec,
260	the <a
261	href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
262	>privileges</a> required to run subprocesses. If this is set to
263	<var>Off</var> the virtualhost is denied the privileges and will not
264	be able to run traditional CGI programs or scripts under the traditional
265	<module>mod_cgi</module>, nor similar external programs such as those
266	created by <module>mod_ext_filter</module> or
267	<directive module="mod_rewrite">RewriteMap</directive> <var>prog</var>.
268	Note that it does not prevent CGI programs running under alternative
269	process and security models such as <a href="http://fastcgi.coremail.cn"
270	>mod_fcgid</a>, which is a recommended solution in Solaris.</p>
271	<p>If set to <var>On</var> or <var>Secure</var>, the virtual host
272	is permitted to run external programs and scripts as above.
273	Setting <directive>VHostCGIMode</directive> <var>Secure</var> has
274	the effect of denying privileges to the subprocesses, as described
275	for <directive>VHostSecure</directive>.</p>
276	</usage>
277	</directivesynopsis>
278
279	<directivesynopsis>
280	<name>DTracePrivileges</name>
281	<description>Determines whether the privileges required by dtrace are enabled.</description>
282	<syntax>DTracePrivileges On\|Off</syntax>
283	<default>DTracePrivileges Off</default>
284	<contextlist><context>server config</context></contextlist>
285	<compatibility>Available on Solaris 10 and OpenSolaris with
286	non-threaded MPMs (<module>prefork</module> or custom MPM).</compatibility>
287
288	<usage>
289	<p>This server-wide directive determines whether Apache will run with
290	the <a
291	href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
292	>privileges</a> required to run
293	<a href="http://www.sun.com/bigadmin/content/dtrace/">dtrace</a>.
294	Note that <var>DTracePrivileges On</var> will not in itself
295	activate DTrace, but <var>DTracePrivileges Off</var> will prevent
296	it working.</p>
297	</usage>
298	</directivesynopsis>
299
300	<directivesynopsis>
301	<name>VHostPrivs</name>
302	<description>Assign arbitrary privileges to a virtual host.</description>
303	<syntax>VHostPrivs [+-]?<var>privilege-name</var> [[+-]?privilege-name] ...</syntax>
304	<default>None</default>
305	<contextlist><context>virtual host</context></contextlist>
306	<compatibility>Available on Solaris 10 and OpenSolaris with
307	non-threaded MPMs (<module>prefork</module> or custom MPM)
308	and when <module>mod_privileges</module> is compiled with the
309	<var>BIG_SECURITY_HOLE</var> compile-time option.</compatibility>
310
311	<usage>
312	<p><directive>VHostPrivs</directive> can be used to assign arbitrary <a
313	href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
314	>privileges</a> to a virtual host. Each <var>privilege-name</var>
315	is the name of a Solaris privilege, such as <var>file_setid</var>
316	or <var>sys_nfs</var>.</p>
317
318	<p>A <var>privilege-name</var> may optionally be prefixed by
319	+ or -, which will respectively allow or deny a privilege.
320	If used with neither + nor -, all privileges otherwise assigned
321	to the virtualhost will be denied. You can use this to override
322	any of the default sets and construct your own privilege set.</p>
323
324	<note type="warning"><title>Security</title>
325	<p>This directive can open huge security holes in apache, up to
326	and including running requests with root-level powers. Do not
327	use it unless you fully understand what you are doing!</p></note>
328	</usage>
329	</directivesynopsis>
330
331	<directivesynopsis>
332	<name>VHostCGIPrivs</name>
333	<description>Assign arbitrary privileges to subprocesses created
334	by a virtual host.</description>
335	<syntax>VHostPrivs [+-]?<var>privilege-name</var> [[+-]?privilege-name] ...</syntax>
336	<default>None</default>
337	<contextlist><context>virtual host</context></contextlist>
338	<compatibility>Available on Solaris 10 and OpenSolaris with
339	non-threaded MPMs (<module>prefork</module> or custom MPM)
340	and when <module>mod_privileges</module> is compiled with the
341	<var>BIG_SECURITY_HOLE</var> compile-time option.</compatibility>
342
343	<usage>
344	<p><directive>VHostCGIPrivs</directive> can be used to assign arbitrary <a
345	href="http://www.sun.com/bigadmin/features/articles/least_privilege.jsp"
346	>privileges</a> to subprocesses created by a virtual host, as discussed
347	under <directive>VHostCGIMode</directive>. Each <var>privilege-name</var>
348	is the name of a Solaris privilege, such as <var>file_setid</var>
349	or <var>sys_nfs</var>.</p>
350
351	<p>A <var>privilege-name</var> may optionally be prefixed by
352	+ or -, which will respectively allow or deny a privilege.
353	If used with neither + nor -, all privileges otherwise assigned
354	to the virtualhost will be denied. You can use this to override
355	any of the default sets and construct your own privilege set.</p>
356
357	<note type="warning"><title>Security</title>
358	<p>This directive can open huge security holes in apache subprocesses,
359	up to and including running them with root-level powers. Do not
360	use it unless you fully understand what you are doing!</p></note>
361	</usage>
362	</directivesynopsis>
363
364
365
366	</modulesynopsis>