On 15 Jan 2009, at 19:15, Jeff Trawick wrote:
> Nick Kew wrote:
>> Jeff Trawick wrote:
>>> Nick Kew wrote:
>>>> As you may know, I've recently written a module mod_privileges
>>>> that makes Apache HTTPD privileges(5)-aware, and provides a
>>>> solution for the long-standing problem of running different
>>>> virtual hosts under different Unix users/groups.
>>>> http://httpd.apache.org/docs/2.3/mod/mod_privileges.html
>>>>
>>>> mod_privileges works only with development versions of Apache.
>>>> I'm proposing a backport to make it work with the release
>>>> version 2.2, and include it as standard in Sun's webstack.
>>>> I attach a draft: comments welcome.
>>>
>>> BTW, how big a patch is needed to Apache 2.2?
>>
>> It's small and straightforward enough, having figured out the
>> sequencing while working on trunk through mod_unixd and the
>> drop_privileges hook. All the non-trivial work is essentially
>> done in having figured that lot out.
>>
> cool; I didn't see anything in the ARC about Apache specifically so I
> guess it has no new interface?
The ARC Case template I used describes new files as "interfaces".
But no, it doesn't touch any existing interfaces, nor introduce anything
new other than as documented for the trunk version.
> A few comments/questions:
> What is privileges-scan?
A script on my to-do list that scans apache's files and userdirs
for privileges-aware code that could be loaded and flags them
up for the sysop. See the discussion of privilege escalation
in the manual page.
> Is 64-bit Apache supported?
> (i.e., will there be
> /usr/apache2/2.2/libexec/${ISAINFO}/mod_privileges.so?)
I would presume so. Should I say so explicitly?
> Is a sample configuration snippet provided?
> (/etc/apache2/2.2/samples-conf.d/privileges.conf)
I hadn't thought about it, but I guess that makes sense.
> For "Patch to httpd core /usr/apache2/2.2/bin/httpd"...
> Does that introduce any user interfaces, or is it all implementation
> details, in which case I don't think the ARC has
> to mention it.
It's just implementation. I thought it was relevant in terms of what
a patch adds to the burden of maintenance. I guess that's what
becomes of using an ARC case for such a small proposal.
--
Nick Kew
