mod_hostinglimits и setuid
Форум
  1. Forums
  2. General
  3. General Discussion
  1. Boris Dolgov
  2. Sunday, 03 July 2011
  3.  Subscribe via email
Hello!

As you have a patched kernel, I think it will be a great feature to allow mod_hostinglimits to setuid apache process to the user of the specified LVE and then setuid it back to the unprivileged user (in the way mod_hostinglimits escapes the LVE).
This can have a lot of security holes, but I believe that correct implementation can\'t.
Rate this post:
  1. 03.07.2011 21:07:37
  2. # 1
Igor Seletskiy Accepted Answer
Posts: 1200
Joined: 09.02.2010
0
Votes
Undo
Boris,

We originally though about it, and even implemented it. Yet, then just by looking at it, we understood just how huge of a security hole such approach is.
The ability for apache user to switch to arbitrary user & back is just too huge a hole, that will be abused by hackers.
  1. 04.07.2011 04:07:32
  2. # 2
Boris Dolgov Accepted Answer
Posts: 11
Joined: 03.07.2011
0
Votes
Undo
So maybe you can implement something similar to mpm-itk for apache with this functionality and pack it to your repository? Processes run with setuid capability, when the request is parsed mpm or mod applies LVE and SecureLVE limits, setuids and drops setuid capability, and when a request (or all requests in keepalive-session corresponding to the current user) are processed, kills current apache process.
  1. 04.07.2011 07:07:44
  2. # 3
Igor Seletskiy Accepted Answer
Posts: 1200
Joined: 09.02.2010
0
Votes
Undo
I am sorry, but in my opinion, MPM-itk is one big security nightmare by design, that also has terrible performance.
Running as root, switching to arbitrary uid from inside apache is just too big of an issue., that should be too easy to abuse.
  1. 05.07.2011 19:07:29
  2. # 4
Boris Dolgov Accepted Answer
Posts: 11
Joined: 03.07.2011
0
Votes
Undo
You are right here, this can be a security issue -- but we allow FTP and SSH servers to run as root before user authentication completes; we run one MySQL server for all users, that can easily be DoS-attacked.
Killing the process after each keepalive request processes is a big performance overhead, but php-cgi has much bigger permormance overhead -.it fork()s, execve()s two times, setuid()s and exit()s.
Or do you recommend to use php-fcgi and forget about mod_php and php-cgi?
  1. 05.07.2011 20:07:03
  2. # 5
Igor Seletskiy Accepted Answer
Posts: 1200
Joined: 09.02.2010
0
Votes
Undo
If you look at the code for SSH & FTP -- it is very simple (the authentication part):
check credentials/drop priviledges.
You have to keep surface of attack as small as possible.

This is not true with ITK -- apache does a lot of things between accepting request & processing virtual host. So, it is much more dangerous.

Also, while php-cgi is slower then MPM ITK, if you add up static HTML serving by ITK -- you will get better performance with MPM Worker + PHP as cgi then with ITK (though I have seen people putting nginx in front to overcome that).
Also, in terms of performance suPHP is better then php as cgi, and mod_fcgid is comparable in speed with mod_php (though it requires more RAM).
  1. 07.07.2011 06:07:07
  2. # 6
Boris Dolgov Accepted Answer
Posts: 11
Joined: 03.07.2011
0
Votes
Undo
I can\'t agree that httpd request parsing part is difficult.
Everything other is configuration and mpm related that is much more difficult to exploit.

I will try using php-fcgi on my test server to compare it with mpm-itk.
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
гость
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.