MAC policies and shared hosting
Alexander Leidinger
Alexander at Leidinger.net
Fri May 5 12:21:16 UTC 2006
Quoting Borja Marcos <BORJAMAR at SARENET.ES> (from Fri, 5 May 2006
11:09:31 +0200):
> The possible practical implementation of this scheme would use Zeus
> webserver, which has an option to execute each CGI with the uid of its
> owner. Of course, it could be interesting to add some functionality,
> for example, to Apache, in order to take advantage of the new security
> mechanisms.
FYI: apache has the suexec wrapper. But it only covers real CGI's, not
apache modules like php, mod_perl, ... or plain html files serving.
For this to work either apache would have to run a httpd process for
every virtual host, or the OS has to provide the possibility to allow
to change the UID of a particular user (here: www) to some other user
(as configured in the virtual host part of the apache config) without
entering a password (maybe via RBAC "allow su from uid www to uid
[1000,2000] nopwd").
Bye,
Alexander.
--
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
Intellect annuls Fate.
So far as a man thinks, he is free.
-- Ralph Waldo Emerson
More information about the freebsd-security
mailing list