The Apache Privilege Separation patch addresses the problem of an Apache WebDAV server only being able to write files as the apache user (usually something like 'nobody' or 'www'). It addresses this problem in a secure way by adding privilege separation to the Apache web server (conceptually similar to ssh privilege separation).
A privilege seperated Apache can be used for instance to allow WebDAV access to ~user directories and also to allow the use of unix quotas. WebDAV clients are seamlessly integrated into both Windows and Mac OS X providing a convenient and secure method for remote access.
In Privilege Separation mode Apache continues to run as an unprivileged user although one additional secure process runs as 'root'. The 'root' privileged separated process communicates with the main apache process via unix sockets and has two purposes:
The apache-privsep patches work inconjunction with mod_dav, mod_ssl and pam to provide secure authentication and access to directories exported with privilege separation. The patchset includes a patch for mod_dav.
Note: The apache privsep patch will currently only work on Linux due to internal glibc assumptions on how directory file descriptors are returned from
opendir. It should be able to be modified easily for other unices that support file descriptor passing over unix domain sockets (assuming you can get access to directory file descriptors).
Download the two patches (privsep-apache-1.3.x.patch, privsep-mod_dav-1.0.x.patch) and the build-apache-privsep.sh script. The script will download the required apache, mod_ssl and mod_dav sources, apply the privsep patches and then build a privilege separation enabled apache.
cd apache_1.3.33 make certificate sudo make install
Add the following into your PAM configuration for apache (/etc/pam.d/apache):
auth required pam_unix.so nullok_secure nodelay account required pam_unix.so
Note: the 'nodelay' option is important as otherwise pam auth failures will throttle the privilege separation process (mod_auth_privsep will introduce a delay into the apache worker process instead).
Then in the apache configuration (/opt/apache/etc/apache.conf) you need to turn on privsep - this is done in global scope (with this off the code paths are unaltered and it will act like a normal apache):
PrivilegeSeparation On PrivilegeSeparationRoot /home
You can also enable debugging (which will go to the apache error log):
LogLevel info PrivilegeSeparationDebug On
You will also need to set the DAVLockDB parameter for DAV to function:
Then in the SSL virtual server you need to enable DAV and the privsep auth module:
<Directory "/home/*/public_html/"> DAV On AuthType Basic AuthName "Home access" AllowOverride None PrivSepAuth On Options MultiViews Indexes FollowSymLinks IncludesNoExec <Limit GET OPTIONS PUT DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> require valid-user </Limit> <LimitExcept GET OPTIONS PUT DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Order deny,allow Deny from all </LimitExcept> </Directory>
Start your SSL enabled apache server:
Now try to access using DAV:
Please send bugs, feedback, comments to Michael Clark.
Copyright Metaparadigm Pte. Ltd. 2007.
This code is made available under the Apache License Version 2.0.