On 8/5/2012 8:32 AM, Steinar H. Gunderson wrote: > On Sun, Aug 05, 2012 at 11:05:59AM -0400, Jeff Trawick wrote: >> Great! I'll do something about the remaining patch "before long". > > When the time comes, do we have any hopes of getting this back from trunk to > 2.4, or would it need to wait for 2.6/3.0? > > FWIW, the mpm-itk security hardening that was discussed (running with uid != > 0, > and limiting setuid/setgid ranges through seccomp) is starting to come quite > nicely along, although the problem of initgroups() remains (a rogue process > with CAP_SETGID can add any supplementary group it pleases, and seccomp is > unable to check it), and there's been very limited user testing so far. > I guess we can't get fully down to the level of prefork, but it can get > pretty close.
Steinar, I solved a very similar problem by spinning off a low-numbered port daemon which accesses resources (in this case, port 21 or similar) and returns the fd to the caller after it evaluates whether that request is permitted by the configuration parsed when it was launched. The solution might give you some ideas on how this mpm could have very limited root privileges with very specific purposes, and not at risk from any remote code execution flaws discovered in the future; http://svn.apache.org/repos/asf/httpd/mod_ftp/trunk/modules/ftp/ftp_lowportd.c Hope it inspires some interesting improvements :) Bill
