<-
Apache > HTTP Server > Documentation > Version 2.4 > Modules

Apache Module mod_privileges

Available Languages:  en  |  fr 

Description:Support for Solaris privileges and for running virtual hosts under different user IDs.
Status:Experimental
Module Identifier:privileges_module
Source File:mod_privileges.c
Compatibility:Available in Apache 2.3 and up, on Solaris 10 and OpenSolaris platforms

Summary

This module enables different Virtual Hosts to run with different Unix User and Group IDs, and with different Solaris Privileges. In particular, it offers a solution to the problem of privilege separation between different Virtual Hosts, first promised by the abandoned perchild MPM. It also offers other security enhancements.

Unlike perchild, mod_privileges is not itself an MPM. It works within a processing model to set privileges and User/Group per request in a running process. It is therefore not compatible with a threaded MPM, and will refuse to run under one.

mod_privileges raises security issues similar to those of suexec. But unlike suexec, it applies not only to CGI programs but to the entire request processing cycle, including in-process applications and subprocesses. It is ideally suited to running PHP applications under mod_php, which is also incompatible with threaded MPMs. It is also well-suited to other in-process scripting applications such as mod_perl, mod_python, and mod_ruby, and to applications implemented in C as apache modules where privilege separation is an issue.

Support Apache!

Topics

Directives

Bugfix checklist

See also

top

Security Considerations

mod_privileges introduces new security concerns in situations where untrusted code may be run within the webserver process. This applies to untrusted modules, and scripts running under modules such as mod_php or mod_perl. Scripts running externally (e.g. as CGI or in an appserver behind mod_proxy or mod_jk) are NOT affected.

The basic security concerns with mod_privileges are:

The PrivilegesMode directive allows you to select either FAST or SECURE mode. You can mix modes, using FAST mode for trusted users and fully-audited code paths, while imposing SECURE mode where an untrusted user has scope to introduce code.

Before describing the modes, we should also introduce the target use cases: Benign vs Hostile. In a benign situation, you want to separate users for their convenience, and protect them and the server against the risks posed by honest mistakes, but you trust your users are not deliberately subverting system security. In a hostile situation - e.g. commercial hosting - you may have users deliberately attacking the system or each other.

FAST mode
In FAST mode, requests are run in-process with the selected uid/gid and privileges, so the overhead is negligible. This is suitable for benign situations, but is not secure against an attacker escalating privileges with an in-process module or script.
SECURE mode
A request in SECURE mode forks a subprocess, which then drops privileges. This is a very similar case to running CGI with suexec, but for the entire request cycle, and with the benefit of fine-grained control of privileges.

You can select different PrivilegesModes for each virtual host, and even in a directory context within a virtual host. FAST mode is appropriate where the user(s) are trusted and/or have no privilege to load in-process code. SECURE mode is appropriate to cases where untrusted code might be run in-process. However, even in SECURE mode, there is no protection against a malicious user who is able to introduce privileges-aware code running before the start of the request-processing cycle.

top

DTracePrivileges Directive

Description:Determines whether the privileges required by dtrace are enabled.
Syntax:DTracePrivileges On|Off
Default:DTracePrivileges Off
Context:server config
Status:Experimental
Module:mod_privileges
Compatibility:Available on Solaris 10 and OpenSolaris with non-threaded MPMs (prefork or custom MPM).

This server-wide directive determines whether Apache will run with the privileges required to run dtrace. Note that DTracePrivileges On will not in itself activate DTrace, but DTracePrivileges Off will prevent it working.

top

PrivilegesMode Directive

Description:Trade off processing speed and efficiency vs security against malicious privileges-aware code.
Syntax:PrivilegesMode FAST|SECURE|SELECTIVE
Default:PrivilegesMode FAST
Context:server config, virtual host, directory
Status:Experimental
Module:mod_privileges
Compatibility:Available on Solaris 10 and OpenSolaris with non-threaded MPMs (prefork or custom MPM).

This directive trades off performance vs security against malicious, privileges-aware code. In SECURE mode, each request runs in a secure subprocess, incurring a substantial performance penalty. In FAST mode, the server is not protected against escalation of privileges as discussed above.

This directive differs slightly between a <Directory> context (including equivalents such as Location/Files/If) and a top-level or <VirtualHost>.

At top-level