Making Apache privilege aware
Maybe you remember my RBAC/Privileges-Tutorial in the the LKSF series. In the third part i described how to take away some privileges from the apache processes. But this takes the concept a whole step farther. Nick Kew announced on the Apache developer mailinglist the availability of a module to make Apache privilege-aware - “Introducing mod_privileges for Apache HTTPD:
This is a platform-specific module for Solaris 10 and OpenSolaris, that makes the webserver privileges(5)-aware. This enables the server to be run with enhanced security, and with different settings per virtual host.
With the use of this module you can define user, group and privileges of a virtual host.
Unlike perchild, mod_privileges is not itself an MPM. It works within a processing model to set privileges and User/Group per request in a running process.
This is a really interesting development: With such a module you can contain every virtual hosts in it´s own user/group combination and more important you can use privileges to controll the possibilities of an virtual hosts at the operating system level. For example you can take away the privileges to execute subprocesses (for example tradtional CGI scripts) at all by a single line of configuration. Really neat …