Hi Folks, We've been doing some work on privilege separation with Apache 1.3 and thought we'd share it with folk here. Not expecting this work to be integrated (as it relies on external mod_dav module), although it could serve as some groundwork for something similar in Apache 2.1
http://oss.metaparadigm.com/apache-privsep/ The Apache Privilege Separation patch addresses the problem of an Apache DAV server only being able to write files as the apache user (usually something like 'nobody' or 'www') and it does so in a very secure way. It can be used for instance to allow DAV access to ~user directories. In Privilege Separation mode Apache continues to run as an unprivileged user although one additional especially secure process runs as 'root'. The 'root' privileged separated process communicates with the main apache process via unix sockets and performs only two purposes. Responds to PAM authentication requests (pam_unix authentication is not normally possible due to the unprivileged apache process not being able to access shadow passwords, but due to the privilege separated design this is now possible and secure). Authentication responses include a cryptographic cookie which encodes the users credentials and is used in successive privileged filesystem requests made to the privsep process. Performs privileged filesystem operations on behalf of the unprivileged apache process as the privileges of the authenticated user. The crypto cookie is verified and then the effective userid is set and the file operation is performed. Certain auditable points in the apache and mod_dav code have been changed to use the privsep calls which communicate via unix sockets (priv_open, priv_unlink, priv_rmdir, etc...). File descriptors are passed back over unix sockets for open calls. Feedback much appreciated. Regards, Michael Clark.
