https://issues.apache.org/bugzilla/show_bug.cgi?id=47021
Summary: A new MPM (security) and mod_selinux module
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Core
AssignedTo: [email protected]
ReportedBy: [email protected]
We intend to execute web-applications under the restrictive privileges
(necessary minimum, if possible) to prevent system resources are unexpectedly
accessed using buggy web-applications.
The new MPM (security) spawns a one-time process for each connection, and it
gives third-party modules a chance to assign individual privileges prior to
invocation of content handlers.
The existing MPM reuses a process or thread to handle multiple requests more
than once. It gives us benefit from the perspective of performance, but it also
gives us a headache issue. Some of enhanced security mechanism (such as
SELinux) does not allow processes to revert its privileges, even if it is
dynamically changed, so it means we cannot reuse a process which already
handled a request at least.
The mod_selinux is a proof of concept. It assigns individual security context
(privileges in SELinux) based on the result of http-authentication, prior to
the invocation of web-application but after the authentication.
The MPM is implemented based on the prefork with a bit of hacks.
- httpd-mpm_security-copied.090414.patch
It is just a copy from prefork/ to security/.
- httpd-mpm_security-modified.090414.patch
It is a differences from the original prefork.
- httpd-mod_selinux.090414.patch
It is the implementation of mod_selinux module
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
