Re: WebDAV and reading / writing files as system users
* Graham Leggett [EMAIL PROTECTED] wrote: Hi, I am busy researching the idea of an Apache + DAV server that would do the job of what a typical Samba server does now - file sharing. An Apache server would have the advantage of native SSL support, flexible authentication configuration, etc. If you just want I fileserver, you'll probably like to have a look at Coda or Intermezzo. They both support strong authentication, clustering and replication. And if commercial stuff is an option, Novell Netware also does a good job. snip The perchild mpm seems to be the closest thing to what I am looking for, but the manual warns that it is not functional. Is this still the case? Perchild doesn't really work - its conceptionally insecure. (users can ptrace their processes and so can - with a given chance - catch also other people's requests) You're probably interested in http://www.metux.de/mpm/ We currently only work based on vhost-name, not yet on auth-credentials, but this is planned. There're some issues to think about, ie. we must ensure that mod_auth gets in before we fetch the request in the multiplexer *or* we have to do authentication by ourselves. We've got similar problems with SSL by the way ... cu -- - Enrico Weigelt== metux IT service phone: +49 36207 519931 www: http://www.metux.de/ fax: +49 36207 519932 email: [EMAIL PROTECTED] cellphone: +49 174 7066481 - -- DSL ab 0 Euro. -- statische IP -- UUCP -- Hosting -- Webshops -- -
Re: WebDAV and reading / writing files as system users
* Sander Temme [EMAIL PROTECTED] wrote: snip Could you mount the DAV filesystem on the local box, so that all access would go through DAV? That way all access would go through Apache and it could have its own sandbox. a) are there *working* DAV filesystem drivers for several OS'es b) performance ? cu -- - Enrico Weigelt== metux IT service phone: +49 36207 519931 www: http://www.metux.de/ fax: +49 36207 519932 email: [EMAIL PROTECTED] cellphone: +49 174 7066481 - -- DSL ab 0 Euro. -- statische IP -- UUCP -- Hosting -- Webshops -- -
Re: WebDAV and reading / writing files as system users
* Graham Leggett [EMAIL PROTECTED] wrote: snip But if this proper filesharing concept is to work properly, then at some point the DAV server will have to support some kind of interaction with the filesystem along far better lines than the current one user owns all. Another point: why not using the kernel's access control when its proven for decades ? btw: probably apache is not really the right tool for an fileserver. aren't there other DAV servers out there ? cu -- - Enrico Weigelt== metux IT service phone: +49 36207 519931 www: http://www.metux.de/ fax: +49 36207 519932 email: [EMAIL PROTECTED] cellphone: +49 174 7066481 - -- DSL ab 0 Euro. -- statische IP -- UUCP -- Hosting -- Webshops -- -
Re: WebDAV and reading / writing files as system users
* Joshua Slive [EMAIL PROTECTED] wrote: Hi, Yes. I don't know of anyone successfully using perchild. There is another group working on a successor called something like mpmmux, but they've been rather quite too. metuxmpm has been reported to be running successfully in production environments. snip Can perchild support the idea of becoming a user specified via an auth module using something like basic authentication? Not with its current design. For one thing, it needs to have a pool of child threads available for each possible user, which would make it rather inappropriate for a large number of users. For another thing, it currently only supports different users on a per-vhost basis. But I suppose that last restriction would be easy enough to relax. We've exactly the same problems in metuxmpm for now :( (see my last posting) But we're already working on demand-starting. cu -- - Enrico Weigelt== metux IT service phone: +49 36207 519931 www: http://www.metux.de/ fax: +49 36207 519932 email: [EMAIL PROTECTED] cellphone: +49 174 7066481 - -- DSL ab 0 Euro. -- statische IP -- UUCP -- Hosting -- Webshops -- -
Re: WebDAV and reading / writing files as system users
On Fri, Apr 30, 2004 at 08:09:13PM +0200, Graham Leggett wrote: André Malo wrote: Hmm. I suspect, the difference is, that Apache was never designed to run as root. You're assuming the root account is the most damaging account to compromise. In the case of a fileserver, you will very likely want some files kept more private than others. If I as a hacker wanted to steal private data from an Apache + DAV fileserver, and all the files were owned by user apache, I would simply need to compromise the apache account to have complete unrestricted access to all data on the server. So, in a fileserver environment, hacking apache would be as disasterous as hacking root. On this basis I would argue that _in a fileserver environment_ all files under one account is less secure (aka more risky) than system based file ownerships. This is all fine and dandy discussion, but I really don't see that Apache should or would build in facilities that are dependent upon running as root. We explicitly discourage that behavior, we check for it, and we even force the package to do extra legawork (-DBIG_SECURITY_HOLE) if they want that. So given all the push against running as root, why would the server grow a lot of functionality to run in that particular mode of operation? Cheers, -g -- Greg Stein, http://www.lyra.org/
Re: WebDAV and reading / writing files as system users
On Fri, Apr 30, 2004 at 11:29:45AM +0530, Amit Athavale wrote: Greg Stein wrote: ... My POV has been (for a LONG while now): the DAV repository is private to the web server and the mod_dav module. Don't let local users near it. May be DAV ACL is the way to go ? Nope. That is only about remotely managing the ACLs. It does nothing for how the ACLs are stored/expressed within the server. And it really doesn't do anything about multiple users and third-party access to the mod_dav data repository. Cheers, -g -- Greg Stein, http://www.lyra.org/
Re: WebDAV and reading / writing files as system users
Sander Temme wrote: On Apr 29, 2004, at 10:59 PM, Amit Athavale wrote: May be DAV ACL is the way to go ? AFAIK WebDAV+ACL+some kind authentication serves the purpose where each user having it own area and he can play with permissions of files and yet you have private repository and user doesn't have a clue of how the back-end storage is managed ! That is in fact what happens with Apache + mod_dav. You manage the access control using restrictions in your httpd.conf, .htaccess files etc. Where Apache gets the Authentication data doesn't really matter: its own password file, /etc/passwd or PAM, with the appropriate modules. It is responsible for enforcing the Authorization and Access control, and then writes everything as the web server user. This is actually not very different from what the kernel does: in the end the files are just bits on a disk and the unix AAA model we build is very much an artefact that said kernel enforces. I have worked on a product that contained an Apache-based FTP module with the same AAA model, and people found this the web server owns everything idea hard to grasp. No, I was talking about DAV ACL model and if some day we have mod_dav implementing ACL draft (soon to be RFC), people have to grasp the web server owns everything idea ;) Look at this : http://www.webdav.org/acl/ S.
Re: WebDAV and reading / writing files as system users
Greg Stein wrote: Eesh. This has tended to come up w.r.t mod_dav for over five years now. My point of view is best summarized in this email: http://mailman.lyra.org/pipermail/dav-dev/2000-November/001746.html I really don't recommend it. Why do you need to have different owners for the files? Are people going to be logging onto the box and need to interact with the files locally? Yes. That has a number of other problems (such as staying in sync with mod_dav w.r.t locking and properties and atomicity of requests, etc). My POV has been (for a LONG while now): the DAV repository is private to the web server and the mod_dav module. Don't let local users near it. Currently DAV seems a logical choice for a protocol for a fileserver, over both Samba and NFS (as just too alternatives) because: - It supports SSL, and therefore has some kind of security concept built into it. - Unlike Samba (and despite the valiant effort of the Samba authors, who do sterling work, but...), Windows, etc which breaks every time a new OS release comes out, DAV is based on a recognised standard. - If printing has become an HTTP like service via IPP, then it would be good if file sharing could also become an HTTP like setrvice like DAV. But if this proper filesharing concept is to work properly, then at some point the DAV server will have to support some kind of interaction with the filesystem along far better lines than the current one user owns all. Regards, Graham --
Re: WebDAV and reading / writing files as system users
Joshua Slive wrote: If you really want apache to behave like samba, then I suppose you don't mind if apache runs as root. Then it becomes rather more simple to do the sort of things you are interested in. It also becomes rather more simple to compromise your box. If I don't run Apache, then I would have to run Samba, which runs as root anyway, and therefore makes it far more simple to compromise my box anyway. I am swapping one evil for another, overall the situation is the same. Keep in mind the application I am thinking about is not webserver that's trying to be a fileserver, but rather a fileserver that just happens to use the DAV protocol. I don't see the security risks of running Apache as root as being any different to running Samba as root. Regards, Graham --
Re: WebDAV and reading / writing files as system users
* Graham Leggett [EMAIL PROTECTED] wrote: Keep in mind the application I am thinking about is not webserver that's trying to be a fileserver, but rather a fileserver that just happens to use the DAV protocol. I don't see the security risks of running Apache as root as being any different to running Samba as root. Hmm. I suspect, the difference is, that Apache was never designed to run as root. nd -- Das Verhalten von Gates hatte mir bewiesen, dass ich auf ihn und seine beiden Gefährten nicht zu zählen brauchte -- Karl May, Winnetou III Im Westen was neues: http://pub.perlig.de/books.html#apache2
Re: WebDAV and reading / writing files as system users
André Malo wrote: Hmm. I suspect, the difference is, that Apache was never designed to run as root. You're assuming the root account is the most damaging account to compromise. In the case of a fileserver, you will very likely want some files kept more private than others. If I as a hacker wanted to steal private data from an Apache + DAV fileserver, and all the files were owned by user apache, I would simply need to compromise the apache account to have complete unrestricted access to all data on the server. So, in a fileserver environment, hacking apache would be as disasterous as hacking root. On this basis I would argue that _in a fileserver environment_ all files under one account is less secure (aka more risky) than system based file ownerships. Regards, Graham --
Re: WebDAV and reading / writing files as system users
On Apr 30, 2004, at 10:26 AM, Graham Leggett wrote: Keep in mind the application I am thinking about is not webserver that's trying to be a fileserver, but rather a fileserver that just happens to use the DAV protocol. I don't see the security risks of running Apache as root as being any different to running Samba as root. Could you mount the DAV filesystem on the local box, so that all access would go through DAV? That way all access would go through Apache and it could have its own sandbox. S. -- [EMAIL PROTECTED] http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF smime.p7s Description: S/MIME cryptographic signature
Re: WebDAV and reading / writing files as system users
On Thu, Apr 29, 2004 at 02:50:19AM +0200, Graham Leggett wrote: Hi all, I am busy researching the idea of an Apache + DAV server that would do the job of what a typical Samba server does now - file sharing. An Apache server would have the advantage of native SSL support, flexible authentication configuration, etc. Note that Apple's iDisk is simply Apache/mod_dav, so the idea certainly isn't far-fetched :-) One thing I would like to be able to do is have the DAV server read and write files as system users, along the lines of what suexec achieves for cgi programs. Obviously the DAV server would need to run as root (or have some mechanism like suexec) in order to achieve this, and would probably be set up as a private stripped down DAV-only server hiding behind a reverse proxy of some kind in order to improve security. Eesh. This has tended to come up w.r.t mod_dav for over five years now. My point of view is best summarized in this email: http://mailman.lyra.org/pipermail/dav-dev/2000-November/001746.html I really don't recommend it. Why do you need to have different owners for the files? Are people going to be logging onto the box and need to interact with the files locally? That has a number of other problems (such as staying in sync with mod_dav w.r.t locking and properties and atomicity of requests, etc). My POV has been (for a LONG while now): the DAV repository is private to the web server and the mod_dav module. Don't let local users near it. Cheers, -g -- Greg Stein, http://www.lyra.org/
Re: WebDAV and reading / writing files as system users
Greg Stein wrote: One thing I would like to be able to do is have the DAV server read and write files as system users, along the lines of what suexec achieves for cgi programs. Obviously the DAV server would need to run as root (or have some mechanism like suexec) in order to achieve this, and would probably be set up as a private stripped down DAV-only server hiding behind a reverse proxy of some kind in order to improve security. Eesh. This has tended to come up w.r.t mod_dav for over five years now. My point of view is best summarized in this email: http://mailman.lyra.org/pipermail/dav-dev/2000-November/001746.html I really don't recommend it. Why do you need to have different owners for the files? Are people going to be logging onto the box and need to interact with the files locally? That has a number of other problems (such as staying in sync with mod_dav w.r.t locking and properties and atomicity of requests, etc). My POV has been (for a LONG while now): the DAV repository is private to the web server and the mod_dav module. Don't let local users near it. May be DAV ACL is the way to go ? AFAIK WebDAV+ACL+some kind authentication serves the purpose where each user having it own area and he can play with permissions of files and yet you have private repository and user doesn't have a clue of how the back-end storage is managed !
WebDAV and reading / writing files as system users
Hi all, I am busy researching the idea of an Apache + DAV server that would do the job of what a typical Samba server does now - file sharing. An Apache server would have the advantage of native SSL support, flexible authentication configuration, etc. One thing I would like to be able to do is have the DAV server read and write files as system users, along the lines of what suexec achieves for cgi programs. Obviously the DAV server would need to run as root (or have some mechanism like suexec) in order to achieve this, and would probably be set up as a private stripped down DAV-only server hiding behind a reverse proxy of some kind in order to improve security. The perchild mpm seems to be the closest thing to what I am looking for, but the manual warns that it is not functional. Is this still the case? Can perchild support the idea of becoming a user specified via an auth module using something like basic authentication? Regards, Graham --
Re: WebDAV and reading / writing files as system users
On Thu, 29 Apr 2004, Graham Leggett wrote: The perchild mpm seems to be the closest thing to what I am looking for, but the manual warns that it is not functional. Is this still the case? Yes. I don't know of anyone successfully using perchild. There is another group working on a successor called something like mpmmux, but they've been rather quite too. Can perchild support the idea of becoming a user specified via an auth module using something like basic authentication? Not with its current design. For one thing, it needs to have a pool of child threads available for each possible user, which would make it rather inappropriate for a large number of users. For another thing, it currently only supports different users on a per-vhost basis. But I suppose that last restriction would be easy enough to relax. Joshua.
