From: Nick Kew
There are three principal security concerns with mod_privileges:
+ +The basic security concerns with mod_privileges are:
The first is amply discussed in the suexec page and elsewhere, and -doesn't need repeating here. The second and third boil down to one -principle: ensure no untrusted privileges-aware code can be loaded. -
- -There are several ways privileges-aware code could be loaded into Apache:
-What gets loaded at startup is under the control of the sysop, and -relatively easy to deal with. A tool will be provided to audit your -installation. That leaves code loaded in the course of processing a -request as the threat. There is unfortunately no generic way apache -can control what a script running under an application module can load, -so you should use the security provided by your scripting module -and language.
- -There is no known PHP extension supporting Solaris privileges, so it -is unlikely that a script could escalate privileges unless it can -load external (non-PHP) privileges-aware code. However, you should -nevertheless audit your mod_php installation.
- -To prevent scripts loading privileges-aware code, PHP's dl() function -should be disabled. This is automatic in safe mode.
- -Perl has an extension Sun::Solaris::Privileges that exposes the privileges -API to scripts. You should ensure this extension is NOT installed if you -have untrusted users.
- -You will also need to ensure that your users cannot load shared objects -(including PerlXS) from their own user directories, or that if this is -enabled, the entire user-space must be carefully audited.
-The
Before describing the modes, we should also introduce the target +use cases: Benign vs Hostile. In a benign situation, you want to +separate users for their convenience, and protect them and the server +against the risks posed by honest mistakes, but you trust your users +are not deliberately subverting system security. In a hostile +situation - e.g. commercial hosting - you may have users deliberately +attacking the system or each other.
+You can select different
There is no known Python extension supporting Solaris privileges, so it -is unlikely that a script could escalate privileges unless it can -load external (non-Python) privileges-aware code. However, you should -nevertheless audit your mod_python installation.
- -*** What are the issues of Python loading a shared object?
This directive trades off performance vs security against +malicious, privileges-aware code. In SECURE mode, each request +runs in a secure subprocess, incurring a substantial performance penalty. +In FAST mode, the server is not protected against escalation +of privileges as discussed above.
+This directive differs slightly between a <Directory>
+ context (including equivalents such as Location/Files/If) and a
+ top-level or <VirtualHost>.
At top-level, it sets a default that will be inherited by virtualhosts.
+ In a virtual host, FAST or SECURE mode acts on the entire
+ HTTP request, and any settings in a <Directory>
+ context will be ignored. A third pseudo-mode
+ SELECTIVE defers the choice of FAST vs SECURE to directives in a
+ <Directory> context.
In a <Directory> context, it is applicable only
+ where SELECTIVE mode was set for the VirtualHost. Only
+ FAST or SECURE can be set in this context (SELECTIVE would be
+meaningless).
<Directory> context applies to the request.
+ This might give an attacker opportunities to introduce
+ code through a <VirtualHost> context
+ before privileges have been dropped and userid/gid set.
+There is no known Ruby extension supporting Solaris privileges, so it -is unlikely that a script could escalate privileges unless it can -load external (non-Ruby) privileges-aware code. However, you should -nevertheless audit your mod_ruby installation.
- -*** What are the issues of Ruby loading a shared object?
-???
-The security issues of mod_privileges do not affect scripts such as -traditional CGI, which run in a separate process. That includes -PHP, Perl, Python, Ruby, etc, run out-of-process.
-