Separating Virtual Hosts: mod_privileges

A longstanding issue with web hosting on Apache is the problem of lack of separation of virtual hosts.  Users of a system had better trust each other, because if they have privilege to deploy non-trivial applications, they’re likely also to have privilege to crack each other’s apps.  Of course the level of vulnerability depends on local factors – mostly the competence of the sysop – but it’s always a worry for security-minded users.

A complete solution to this is full virtualisation, including an entire apache instance per user.  But that’s expensive.  A range of partial solutions exist: generally these involve separate processes such as suexec and fastcgi (both for CGI).  The perchild MPM promised full privilege separation, but was abandoned.

I have today uploaded a new module mod_privileges to Apache svn, under modules/arch/unix.  This is a module for Solaris 10 and OpenSolaris, that uses Solaris privileges to enhance webserver security.  Specifically, it enables both privileges and Unix user&group to be specified per virtual host.  Like the perchild MPM, each virtual host can run as a different system user, and it will also (by default) run in a more secure mode than “normal”, by removing privileges rarely used by a webserver.  A BIG_SECURITY_HOLE compile-time option lets you shoot yourself in the foot by running with your choice of privileges.

mod_privileges is currently in /trunk/, and won’t be in any released version of Apache for a while.  It will require further work – including of course security audit – before it can be recommended for operational use.

And it has a major limitation: it won’t run with a threaded MPM.  But neither will mod_php (at least not in a sane setup), so PHP users have nothing to lose.  It’s also useful for other in-process scripting environments such as mod_perl, mod_python or mod_ruby.  And therein lies its major target market: hosting companies offering scripting should find this meets a long-standing need!

About these ads