[sclug] Apache question

Dickon Hood sclug at splurge.fluff.org
Sun Nov 7 19:58:24 UTC 2004 

On Sun, Nov 07, 2004 at 13:14:44 +0000, Pieter Claassen wrote:
: Hello All,

: Here is an open question regarding Apache that somebody might have some
: philosophical or technical light to shed on:

: 1. Apache runs as www-data or whatever you want it to run.

Usually, yes.

: 2. It effectively ignores underlying filesystem permissions as long as
: it has read rights to the files you want to serve, execute rights to CGI
: scripts and directories it wants to traverse.

Well, ish.  I wouldn't say it ignores anything: it runs as a user and has
to conform to the permissions that user has.  It doesn't ignore anything,
and will generate error pages if permissions aren't correct.

: 3. To provide access control, you have edit the apache.conf file and on
: a per directory or file provide separate authorisation instructions (you
: can use PAM to authenticate users which will at least use your
: /etc/password)

This is an exceptionally bad idea.  HTTP is a connectionless protocol
(ignoring 1.1 for now) with no limits on the speed or number of password
attempts in any given period.  That allows people to attack your main
system password file by throwing usernames and passwords at it as fast as
your network connection will allow, and that's not a good thing at all.

: So, here is the question:
: 1. Does anybody know of a way for apache to use the filesystem's
: underlying permissions to determine if user X has the right to download
: or upload a file? If the file has worldwide rw rights, then anybody can
: get to it (I assume uploads via webdav)

There's nothing stopping you writing a CGI or somesuch which you can suid
to do this for you, but it isn't efficient, and would definitely have
security implications I shudder to think about.

: 2. Might this be most easily achieved to switch UID/GID of the apache
: process on authentication to that of the authentication user?

You'd probably have to attempt something similar, yes.  One of the
problems with this approach are that when you move to Apache 2, will limit
you to a non-threading MPM (which will cripple performance).  Certainly we
manage about 1200 requests/second on our threaded Apache 2 instances,
which is significantly up on the 400r/s or so we were getting under 1.3.

-- 
Dickon Hood

Due to constant nagging to change it, my .sig is temporarily unavailable.
Normal service will be resumed as soon as possible.  We apologise for the
inconvenience in the meantime.

More information about the Sclug mailing list