Index of /apache-privsep

Name	Last modified	Size

Parent Directory		-
2.2.6/	12-Dec-2007 08:29	-
2.3.0-dev/	21-Dec-2007 13:54	-
ChangeLog	05-Dec-2007 21:45	662
build-apache-privsep.sh	05-Dec-2007 21:29	3.9K
privsep-apache-1.3.39-0.5.patch	05-Dec-2007 21:37	58K
privsep-mod_dav-1.0.3-1.3.6-0.5.patch	05-Dec-2007 21:37	15K

Apache Privilege Separation for WebDAV Remote Access

NOTE: We have moved to privsep.org. Future versions of the patches will be posted there. This page is being kept for historical purposes.

The Apache Privilege Separation patch addresses the problem of an Apache WebDAV server only being able to write files as the apache user (usually something like 'nobody' or 'www'). It addresses this problem in a secure way by adding privilege separation to the Apache web server (conceptually similar to ssh privilege separation).

A privilege seperated Apache can be used for instance to allow WebDAV access to ~user directories and also to allow the use of unix quotas. WebDAV clients are seamlessly integrated into both Windows and Mac OS X providing a convenient and secure method for remote access.

In Privilege Separation mode Apache continues to run as an unprivileged user although one additional secure process runs as 'root'. The 'root' privileged separated process communicates with the main apache process via unix sockets and has two purposes:

Responds to PAM authentication requests (pam_unix authentication is not normally possible due to the unprivileged apache process not being able to access shadow passwords, but due to the privilege separated design this is now possible and secure). Authentication responses include a cryptographic cookie which encodes the users credentials and is verified in successive privileged filesystem requests made to the privsep process.
Performs privileged filesystem operations on behalf of the unprivileged apache process as the privileges of the authenticated user. The cryptographic cookie is verified and then the effective userid is set and the filesystem operation is performed. Certain auditable points in the apache and mod_dav code have been changed to use the privsep calls which communicate via unix sockets (priv_open, priv_unlink, priv_rmdir, etc...). File descriptors are passed back over unix sockets for open calls.

Requirements

The apache-privsep patches work inconjunction with mod_dav, mod_ssl and pam to provide secure authentication and access to directories exported with privilege separation. The patchset includes a patch for mod_dav.

Note: The apache privsep patch will currently only work on Linux due to internal glibc assumptions on how directory file descriptors are returned from opendir. It should be able to be modified easily for other unices that support file descriptor passing over unix domain sockets (assuming you can get access to directory file descriptors).

How To Build Apache Privilege Separation

Download the two patches (privsep-apache-1.3.x.patch, privsep-mod_dav-1.0.x.patch) and the build-apache-privsep.sh script. The script will download the required apache, mod_ssl and mod_dav sources, apply the privsep patches and then build a privilege separation enabled apache.

To build:

./build-apache-privsep.sh

To install:

cd apache_1.3.33
make certificate
sudo make install

How To Enable Apache Privilege Separation

Add the following into your PAM configuration for apache (/etc/pam.d/apache):

auth    required        pam_unix.so nullok_secure nodelay
account required        pam_unix.so

Note: the 'nodelay' option is important as otherwise pam auth failures will throttle the privilege separation process (mod_auth_privsep will introduce a delay into the apache worker process instead).

Then in the apache configuration (/opt/apache/etc/apache.conf) you need to turn on privsep - this is done in global scope (with this off the code paths are unaltered and it will act like a normal apache):

PrivilegeSeparation On
PrivilegeSeparationRoot /home

You can also enable debugging (which will go to the apache error log):

LogLevel info
PrivilegeSeparationDebug On

You will also need to set the DAVLockDB parameter for DAV to function:

DAVLockDB /opt/apache/var/dav/DAVLock

Then in the SSL virtual server you need to enable DAV and the privsep auth module:

<Directory "/home/*/public_html/">
    DAV On
    AuthType Basic
    AuthName "Home access"
    AllowOverride None
    PrivSepAuth On
    Options MultiViews Indexes FollowSymLinks IncludesNoExec
    <Limit GET OPTIONS PUT DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
        require valid-user
    </Limit>
    <LimitExcept GET OPTIONS PUT DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
        Order deny,allow
        Deny from all
     </LimitExcept>
  </Directory>

Start your SSL enabled apache server:

/opt/apache/sbin/apachectl startssl

Now try to access using DAV:

https://yourmachine.yourdomain:8443/~youraccount/

Have fun!

Authors

Jamie Clark
Michael Clark

Please send bugs, feedback, comments to Michael Clark.

This code is made available under the Apache License Version 2.0.