mod_suid2
setuid module for apache-2.x
What is mod_suid2 ?
mod_suid2 is Suexec module for apache-2.0.
Apache2 includes mod_suexec and using this module, you can run CGI or SSI programs under general user's rights. (not apache, nobody, wwwuser)
For example, if one CGI's owner is "user A", programs run under "user_a" not "apache". This is by /usr/local/apache2/bin/suexec wrapper program.
it means, mod_suexec can run only CGI or SSI with program owner's right, and can not run Apache modules, i.e. WebDAV or PHP. these module will work under User or Group in httpd.conf.
The problem is, if you have a large number of virtual host, security between user and another user is not so good. Generally, bbs or access counter's data file permission must be 0666 to read or write by apache. But, if permissions are 0666, another virtual host's user can read or write that file.
To solve this problem, Apache2 has Perchild MPM, but this is "NOT" stable.
With apache-1.3, you can install mod_become to run httpd process under user's right. But I could not find modules for Apache-2.0.
mod_suid2 is similer to mod_become but for Apache2 and only for that virtual hosts.
Security
To run httpd process with user's right, I choose setuid(2). Only root can use setuid(2) as you know.
It means, all httpd process must run with "ROOT", you have to compile and configure Apache2 with -DBIG_SECURITY_HOLE option.
When httpd receive HTTP headers from client, httpd is running under super user's right. if there are buffer over flow, attackers can or may get root shell.
To secure your server, there are some ways.
- Run httpd under chroot environment.
- Install libsafe or compile your Apache with StackGuard.
- Install IDS or IPS and protect server.
Notice, if you install mod_suid2, security between one virtualhost and another will be fine. But, Security against attacks from internet will be bad.
Performance
By default, MaxRequestsPerChild in httpd.conf is 0. it means one httpd process will receive many requests from clients. But, a process already setud(2) to general user can not setuid(2) to another user. It means a httpd that already setuid(2) must be killed with one request.
To kill each process and create new process takes time and request performance will be so bad. Configuring httpd.conf like this, that will be a little fine.
httpd.conf
StartServers 100 MinSpareServers 5 MaxSpareServers 10 MaxClients 150 MaxRequestsPerChild 0
Install
Install is very easy. First, you have to install Apache2 with -DBIG_SECURITY_HOLE option.
Install of Apache2
% tar zxfv httpd-2.0.48.tar.gz % env CFLAGS="-DBIG_SECURITY_HOLE" ./configure && make # make install
Install of mod_suid2
# /usr/local/apache2/bin/apxs -a -i -c mod_suid2.c
Configuration
Configuration format is
SuidUserGroup Username Groupname
this is like SuexecUserGroup format, you can use this in grobal section or virtualhost section.
Another configuration is
SuidUserGroup #uidNumber #gidNumber
or
SuidUidGid uidNumber gidNumber
This is useful when a user who doesn't have Username or Groupname. SuidUidGid is for numerical username(not recommended)
For example, If there are example.com and example.net, configure like below.
httpd.conf
LoadModule suid2_module modules/mod_suid2.so User root Group root SuidUserGroup apache apache NameVirtualHost 192.168.0.1 <VirtualHost example.com> ServerAdmin webmaster@example.com DocumentRoot /home/example.com/public_html ServerName example.com ServerAlias www.example.com SuidUserGroup example1 example1 </VirtualHost> <VirtualHost example.net> ServerAdmin webmaster@example.net DocumentRoot /home/example.net/public_html ServerName example.net ServerAlias www.example.net SuidUserGroup example2 example2 </VirtualHost>
Download
License
ASL-2.0(Apache Software License)
See also
http://www.sannes.org/metuxmpm/
http://www.snert.com/Software/mod_become/
http://www.suphp.org/Home.html