-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
93 lines (57 loc) · 2.45 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
Platforms
This module should work on all platforms supporting setresuid() and setresgid()
system calls.
This includes Linux, FreeBSD, OpenBSD, HPUX, but probably not all versions.
To see if you actually have a supported OS, simply run the configure script
------------------------------------------------------------------------------
Compilation
Simply do
./configure
make
make install (as root)
When configuring, make *sure* it finds the apxs that matches the target apache
installation.
------------------------------------------------------------------------------
Usage
Make apache load the module :
LoadModule suid_module /usr/libexec/apache/mod_suid.so
Make SURE that this is the last LoadModule line in your Apache config, else
you're at risk that stange thinks will happen.
If you're not on Linux, you need to tell Apache to start as root :
User root
Group root
in your httpd.conf. You will need to recompile apache with -DBIG_SECURITY_HOLE,
or apache will refuse to start.
If you want extra protection, install the lsm_rsuid kernel module, and
configure it (DO read the README !!)
In your main config, you must enable the suid module :
ModSuidEnable On
Tell it what user apache normally runs at (nobody, www-data) :
ModSuidApacheUser nobody
ModSuidApacheGroup nobody
In your vhost config :
SuidEnable yes
SuidPolicy user-group
Suid user someuser
Suid group somegroup
SuidPolicy can be user-group | file | parent-directory, I
use user-group myself.
-------------------------------------------------------------------------------
Problems
Apache uses a mutex to make sure only one child does an accept() on a
connection. The mutex used depends on the system, and what the administrator
tells it to use.
One some systems, it defaults to SysV, which is bad, since all operations are
checked with permissions. If you get errors in your logs about the mutex,
you're probably using SysV.
I suggest you change this to fcntl, using :
AcceptMutex fcntl
in your httpd.conf
-------------------------------------------------------------------------------
WARNING :
This code CAN open up your server to hackers. If you need a secure system,
DON'T use this module.
I HIGHLY recommend you disable all access to set*uid() and set*gid() functions in scripting languages.
If you want to prevent the apache process for switching to certain UID / GID's,
use the lsm_rsuid kernel module.
Don't bug me with warnings about how unsafe this is, I know :)