What is mod_suid2 ?
mod_suid2 is Suexec module for apache-2.0.
Apache2 includes mod_suexec. if you enable this module, you can run CGI or SSI programs under user's privileges. (not as apache, nobody, wwwuser)
For example, if CGI's owner is "user A", programs run as "user_a" not as "apache". This is done by /usr/local/apache2/bin/suexec wrapper program.
because wrapper program is required, mod_suexec can run only CGI or SSI with program owner's privilege, and can't run Apache modules, (i.e. WebDAV or PHP). these module will run as User or Group in httpd.conf.
The problem is, if you have a large number of virtual hosts, some user could read/write other's file or directory because all programs run as apache.
To solve this, Apache2 has Perchild MPM, but this is "NOT" stable yet.
With apache-1.3, you can install mod_become to run httpd process under user's right. But I could not find modules for Apache-2.0.
mod_suid2 is similer to mod_become but for Apache2.
Security
To run httpd process with user's priv, I choose setuid(2). Only root can use setuid(2) as you know. which means, all httpd process must run as "ROOT" at the first time, thus you have to compile and configure Apache2 with -DBIG_SECURITY_HOLE option.
When httpd receive HTTP headers from clients, httpd is running as super user. if there are buffer overflow or such, attackers can or may get root shell.
To make secure your servers, there are some ways.
Run httpd under chroot environment. Install libsafe or compile your Apache with StackGuard. Install IDS or IPS and protect server.
Notice, if you install mod_suid2, security between one virtualhost and another will be fine. But, Security against attacks from internet will be unsafe.
Performance
By default, MaxRequestsPerChild in httpd.conf is set to 0. This means one httpd process will receive many requests from clients. But, a process which already setud(2) to general user can not setuid(2) to another user. then httpd that is already setuid(2) must be killed with one request.
To kill each process and create new process takes time. As a result, performance of without mod_suid2 is much better than mod_suid.
Install
Installation is very easy. First, you have to install Apache2 with -DBIG_SECURITY_HOLE option.
Install of Apache2
% tar zxfv httpd-2.0.48.tar.gz % env CFLAGS="-DBIG_SECURITY_HOLE" ./configure && make # make install
Install of mod_suid2
# /usr/local/apache2/bin/apxs -a -i -c mod_suid2.c
Configuration
Configuration format is
SuidUserGroup Username Groupname
this is like SuexecUserGroup format, you can use this in grobal section or virtualhost section. Another configuration is
SuidUserGroup #uidNumber #gidNumber
or
SuidUidGid uidNumber gidNumber
This is useful when users don't have Username or Groupname. SuidUidGid is for numerical username(not recommended)
For example, If there are example.com and example.net, configure like below.
httpd.conf
LoadModule suid2_module modules/mod_suid2.so User root Group root SuidUserGroup apache apache NameVirtualHost 192.168.0.1 <VirtualHost example.com> ServerAdmin webmaster@example.com DocumentRoot /home/example.com/public_html ServerName example.com ServerAlias www.example.com SuidUserGroup example1 example1 </VirtualHost> <VirtualHost example.net> ServerAdmin webmaster@example.net DocumentRoot /home/example.net/public_html ServerName example.net ServerAlias www.example.net SuidUserGroup example2 example2 </VirtualHost>
See also
http://www.sannes.org/metuxmpm/