A very interesting read for myself. The hat I am wearing is "admin/implementer" of AIX RBAC (role based access control) where the whole application is running as a non-root id (or non-superuser if you prefer).
The kernel privileges granted include setting "privileges" and accessing "all" files - which I shall be looking at to limit/manage removing the privileges and seeing what "breaks". If a seteuid() call is made - could it do that to root? must look into that (not so much httpd, but RBAC mechanisms in general). My goal with an RBACed configuration of httpd is that a non-superuser could fully administer httpd - start/stop service; edit key config files. So the interesting part of this read - maybe httpd has "unknown to me" needs to be "more super". And I may even have a reason to actually look at parts of the code :) On Fri, Sep 21, 2012 at 2:29 PM, Jeff Trawick <traw...@gmail.com> wrote: > On Sun, Aug 5, 2012 at 11:05 AM, Jeff Trawick <traw...@gmail.com> wrote: > > On Sun, Aug 5, 2012 at 11:00 AM, Steinar H. Gunderson > > <sgunder...@bigfoot.com> wrote: > >> On Wed, Aug 01, 2012 at 01:58:16PM -0400, Jeff Trawick wrote: > >>> Your post-perdir-config patch has been committed to trunk with > r1368121. > >> > >> Thanks! > >> > >>> Attached is a patch to trunk that allows you to hook in to the stat > >>> calls from directory walk. Call apr_stat() like core_dirwalk_stat() > >>> but check for APR_STATUS_IS_EACCES(rv) and decide whether to run > >>> lingering close and exit. Let us know how that goes. > >>> > >>> You still need the parse-htaccess patch for now. > >> > >> I backported this to 2.4.2, and changed mpm-itk to hook into that > function > >> with the following hook: > >> > >> static apr_status_t itk_dirwalk_stat(apr_finfo_t *finfo, request_rec > *r, > >> apr_int32_t wanted) > >> { > >> apr_status_t status = apr_stat(finfo, r->filename, wanted, > r->pool); > >> if (ap_has_irreversibly_setuid && APR_STATUS_IS_EACCES(status)) { > >> ap_log_rerror(APLOG_MARK, APLOG_WARNING, status, r, > >> "Couldn't read %s, closing connection.", > >> r->filename); > >> ap_lingering_close(r->connection); > >> clean_child_exit(0); > >> } > >> return status; > >> } > >> > >> Seems to work great, from my limited testing. As an extra bonus, I can > easily > >> call clean_child_exit() (which runs more cleanup hooks) instead of > exit(), > >> since this is in the MPM's own .c file. > > > > Great! I'll do something about the remaining patch "before long". > > It has been a while :) > > The dirwalk_stat hook has now been committed: > http://svn.apache.org/viewvc?view=revision&revision=1388447 > > Attached is a patch that adds a hook called just before htaccess is > opened. See if you can use that to resolve the remaining issue. > > > > >> > >> /* Steinar */ > >> -- > >> Homepage: http://www.sesse.net/ > > > > > > > > -- > > Born in Roswell... married an alien... > > http://emptyhammock.com/ > > > > -- > Born in Roswell... married an alien... > http://emptyhammock.com/ >