Date: Fri, 05 May 2006 14:21:03 +0200 From: Alexander Leidinger <Alexander@Leidinger.net> To: Borja Marcos <BORJAMAR@SARENET.ES> Cc: freebsd-security@freebsd.org, Robert Watson <rwatson@freebsd.org> Subject: Re: MAC policies and shared hosting Message-ID: <20060505142103.8iu70vc9ic0ocgs0@netchild.homeip.net> In-Reply-To: <FDEE8EA9-0AA0-4CD9-854F-B543A1288101@SARENET.ES> References: <CB6E482F-221F-4D31-8814-BF4A23D3E19E@SARENET.ES> <20060504172309.D17611@fledge.watson.org> <FDEE8EA9-0AA0-4CD9-854F-B543A1288101@SARENET.ES>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Borja Marcos <BORJAMAR@SARENET.ES> (from Fri, 5 May 2006 =20 11:09:31 +0200): > The possible practical implementation of this scheme would use Zeus > webserver, which has an option to execute each CGI with the uid of its > owner. Of course, it could be interesting to add some functionality, > for example, to Apache, in order to take advantage of the new security > mechanisms. FYI: apache has the suexec wrapper. But it only covers real CGI's, not =20 apache modules like php, mod_perl, ... or plain html files serving. =20 For this to work either apache would have to run a httpd process for =20 every virtual host, or the OS has to provide the possibility to allow =20 to change the UID of a particular user (here: www) to some other user =20 (as configured in the virtual host part of the apache config) without =20 entering a password (maybe via RBAC "allow su from uid www to uid =20 [1000,2000] nopwd"). Bye, Alexander. --=20 http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 Intellect annuls Fate. So far as a man thinks, he is free. =09=09-- Ralph Waldo Emerson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060505142103.8iu70vc9ic0ocgs0>