[ICO]NameLast modifiedSizeDescription

[DIR]Parent Directory  -  
[DIR]2.2.6/12-Dec-2007 00:29 -  
[DIR]2.3.0-dev/21-Dec-2007 05:54 -  
[   ]ChangeLog05-Dec-2007 13:45 662  
[TXT]README.html29-Dec-2007 02:12 5.3K 
[TXT]build-apache-privsep.sh05-Dec-2007 13:29 3.9K 
[TXT]privsep-apache-1.3.39-0.5.patch05-Dec-2007 13:37 58K 
[TXT]privsep-mod_dav-1.0.3-1.3.6-0.5.patch05-Dec-2007 13:37 15K 

Apache Privilege Separation for WebDAV Remote Access

NOTE: We have moved to privsep.org. Future versions of the patches will be posted there. This page is being kept for historical purposes.

The Apache Privilege Separation patch addresses the problem of an Apache WebDAV server only being able to write files as the apache user (usually something like 'nobody' or 'www'). It addresses this problem in a secure way by adding privilege separation to the Apache web server (conceptually similar to ssh privilege separation).

A privilege seperated Apache can be used for instance to allow WebDAV access to ~user directories and also to allow the use of unix quotas. WebDAV clients are seamlessly integrated into both Windows and Mac OS X providing a convenient and secure method for remote access.

In Privilege Separation mode Apache continues to run as an unprivileged user although one additional secure process runs as 'root'. The 'root' privileged separated process communicates with the main apache process via unix sockets and has two purposes:

Requirements

The apache-privsep patches work inconjunction with mod_dav, mod_ssl and pam to provide secure authentication and access to directories exported with privilege separation. The patchset includes a patch for mod_dav.

Note: The apache privsep patch will currently only work on Linux due to internal glibc assumptions on how directory file descriptors are returned from opendir. It should be able to be modified easily for other unices that support file descriptor passing over unix domain sockets (assuming you can get access to directory file descriptors).

How To Build Apache Privilege Separation

Download the two patches (privsep-apache-1.3.x.patch, privsep-mod_dav-1.0.x.patch) and the build-apache-privsep.sh script. The script will download the required apache, mod_ssl and mod_dav sources, apply the privsep patches and then build a privilege separation enabled apache.

To build:

./build-apache-privsep.sh

To install:

cd apache_1.3.33
make certificate
sudo make install

How To Enable Apache Privilege Separation

Add the following into your PAM configuration for apache (/etc/pam.d/apache):

auth    required        pam_unix.so nullok_secure nodelay
account required        pam_unix.so

Note: the 'nodelay' option is important as otherwise pam auth failures will throttle the privilege separation process (mod_auth_privsep will introduce a delay into the apache worker process instead).

Then in the apache configuration (/opt/apache/etc/apache.conf) you need to turn on privsep - this is done in global scope (with this off the code paths are unaltered and it will act like a normal apache):

PrivilegeSeparation On
PrivilegeSeparationRoot /home

You can also enable debugging (which will go to the apache error log):

LogLevel info
PrivilegeSeparationDebug On

You will also need to set the DAVLockDB parameter for DAV to function:

DAVLockDB /opt/apache/var/dav/DAVLock

Then in the SSL virtual server you need to enable DAV and the privsep auth module:

<Directory "/home/*/public_html/">
    DAV On
    AuthType Basic
    AuthName "Home access"
    AllowOverride None
    PrivSepAuth On
    Options MultiViews Indexes FollowSymLinks IncludesNoExec
    <Limit GET OPTIONS PUT DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
        require valid-user
    </Limit>
    <LimitExcept GET OPTIONS PUT DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
        Order deny,allow
        Deny from all
     </LimitExcept>
  </Directory>

Start your SSL enabled apache server:

/opt/apache/sbin/apachectl startssl

Now try to access using DAV:

https://yourmachine.yourdomain:8443/~youraccount/

Have fun!

Authors

Please send bugs, feedback, comments to Michael Clark.


Copyright Metaparadigm Pte. Ltd. 2007.

This code is made available under the Apache License Version 2.0.