Apache Security - Ivan Ristic [75]
Other things can go wrong, too. One httpd process can control other httpd processes running on the same server. It can send them signals and, at the very least, kill them. (That is a potential for denial of service.) Using a process known as ptrace, originally designed for interactive debugging, one process can attach to another, pause it, read its data, and change how it operates, practically hijacking it. (See "Runtime Process Infection" at http://www.phrack.org/phrack/59/p59-0x08.txt to learn more about how this is done.) Also, there may be shared memory segments with permissions that allow access.
Of course, the mere fact that some untrusted user can upload and execute a binary on the server is very dangerous. The more users there are, the more dangerous this becomes. Users could exploit a vulnerability in a suid binary if it is available to them, or they could exploit a vulnerability in the kernel. Or, they could create and run a server of their own, using an unprivileged high port.
No comprehensive solution exists for this problem at this time. All we have is a series of partial solutions, each with its own unique advantages and disadvantages. Depending on your circumstances, you may find some of these partial solutions adequate.
* * *
Warning
All approaches to solving the single web server user problem have a serious drawback. Since the scripts then run as the user who owns the content, that means executed scripts now have write privileges wherever the user has write privileges. It is no longer possible to control script write access easily.
* * *
I have provided a summary of possible solutions in Table 6-1. Subsequent sections provide further details.
Table 6-1. Overview of secure dynamic-content solutions
Solution
Advantages
Disadvantages
Execution wrappers: suEXEC, CGIWrap, SBOX
Secure
Mature
Works only for CGI scripts
Reduced performance
FastCGI protocol
Fast
Secure
Mature
Works only for dynamic content
Not all technologies support the protocol
Per-request change of Apache identity: mod_become, mod_diffprivs, mod_suid, mod_suid2
Gets the job done
Reduced performance
Apache must run as root
Perchild MPM and Metux MPM
On the right track, aiming to be a complete solution
Potentially fast and secure
Perchild MPM has been abandoned
Metux MPM not stable yet
Running multiple Apache instances
Fast
Secure
Requires at least one IP address per user, or a central proxy in front
Increased memory consumption
Possibly increased management overhead
Not suitable for mass hosting
Execution wrappers
Increased security through execution wrappers is a hybrid security model. Apache runs as a single user when working with static content, switching to another user to execute dynamic requests. This approach solves the worst part of the problem and makes users' scripts run under their respective accounts. It does not attempt to solve the problem with filesystem privileges, which is the smaller part of the whole problem.
One serious drawback to this solution is the reduced performance, especially compared to the performance of Apache modules. First, Apache must start a new process for every dynamic request it handles. Second, since Apache normally runs as httpd and only root can change user identities, Apache needs help from a specialized suid binary. Apache, therefore, starts the suid binary first, telling it to run the user's script, resulting in two processes executed for every dynamic HTTP request.
There are three well-known suid execution wrappers:
suEXEC (part of the Apache distribution)