A very interesting read for myself. The hat I am wearing is
"admin/implementer" of AIX RBAC (role based access control) where the whole
application is running as a non-root id (or non-superuser if you prefer).
The kernel privileges granted include setting "privileges" and accessing
"all" files - which I shall be looking at to limit/manage removing the
privileges and seeing what "breaks".
If a seteuid() call is made - could it do that to root? must look into that
(not so much httpd, but RBAC mechanisms in general).
My goal with an RBACed configuration of httpd is that a non-superuser could
fully administer httpd - start/stop service; edit key config files.
So the interesting part of this read - maybe httpd has "unknown to me"
needs to be "more super". And I may even have a reason to actually look at
parts of the code :)
On Fri, Sep 21, 2012 at 2:29 PM, Jeff Trawick <traw...@gmail.com> wrote:
> On Sun, Aug 5, 2012 at 11:05 AM, Jeff Trawick <traw...@gmail.com> wrote:
> > On Sun, Aug 5, 2012 at 11:00 AM, Steinar H. Gunderson
> > <sgunder...@bigfoot.com> wrote:
> >> On Wed, Aug 01, 2012 at 01:58:16PM -0400, Jeff Trawick wrote:
> >>> Your post-perdir-config patch has been committed to trunk with
> r1368121.
> >>
> >> Thanks!
> >>
> >>> Attached is a patch to trunk that allows you to hook in to the stat
> >>> calls from directory walk. Call apr_stat() like core_dirwalk_stat()
> >>> but check for APR_STATUS_IS_EACCES(rv) and decide whether to run
> >>> lingering close and exit. Let us know how that goes.
> >>>
> >>> You still need the parse-htaccess patch for now.
> >>
> >> I backported this to 2.4.2, and changed mpm-itk to hook into that
> function
> >> with the following hook:
> >>
> >> static apr_status_t itk_dirwalk_stat(apr_finfo_t *finfo, request_rec
> *r,
> >> apr_int32_t wanted)
> >> {
> >> apr_status_t status = apr_stat(finfo, r->filename, wanted,
> r->pool);
> >> if (ap_has_irreversibly_setuid && APR_STATUS_IS_EACCES(status)) {
> >> ap_log_rerror(APLOG_MARK, APLOG_WARNING, status, r,
> >> "Couldn't read %s, closing connection.",
> >> r->filename);
> >> ap_lingering_close(r->connection);
> >> clean_child_exit(0);
> >> }
> >> return status;
> >> }
> >>
> >> Seems to work great, from my limited testing. As an extra bonus, I can
> easily
> >> call clean_child_exit() (which runs more cleanup hooks) instead of
> exit(),
> >> since this is in the MPM's own .c file.
> >
> > Great! I'll do something about the remaining patch "before long".
>
> It has been a while :)
>
> The dirwalk_stat hook has now been committed:
> http://svn.apache.org/viewvc?view=revision&revision=1388447
>
> Attached is a patch that adds a hook called just before htaccess is
> opened. See if you can use that to resolve the remaining issue.
>
> >
> >>
> >> /* Steinar */
> >> --
> >> Homepage: http://www.sesse.net/
> >
> >
> >
> > --
> > Born in Roswell... married an alien...
> > http://emptyhammock.com/
>
>
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
>
