Separating Virtual Hosts: mod_privileges
A longstanding issue with web hosting on Apache is the problem of lack of separation of virtual hosts. Users of a system had better trust each other, because if they have privilege to deploy non-trivial applications, they’re likely also to have privilege to crack each other’s apps. Of course the level of vulnerability depends on local factors – mostly the competence of the sysop – but it’s always a worry for security-minded users.
A complete solution to this is full virtualisation, including an entire apache instance per user. But that’s expensive. A range of partial solutions exist: generally these involve separate processes such as suexec and fastcgi (both for CGI). The perchild MPM promised full privilege separation, but was abandoned.
I have today uploaded a new module mod_privileges to Apache svn, under modules/arch/unix. This is a module for Solaris 10 and OpenSolaris, that uses Solaris privileges to enhance webserver security. Specifically, it enables both privileges and Unix user&group to be specified per virtual host. Like the perchild MPM, each virtual host can run as a different system user, and it will also (by default) run in a more secure mode than “normal”, by removing privileges rarely used by a webserver. A BIG_SECURITY_HOLE compile-time option lets you shoot yourself in the foot by running with your choice of privileges.
mod_privileges is currently in /trunk/, and won’t be in any released version of Apache for a while. It will require further work – including of course security audit – before it can be recommended for operational use.
And it has a major limitation: it won’t run with a threaded MPM. But neither will mod_php (at least not in a sane setup), so PHP users have nothing to lose. It’s also useful for other in-process scripting environments such as mod_perl, mod_python or mod_ruby. And therein lies its major target market: hosting companies offering scripting should find this meets a long-standing need!