mod_become 1.03

mod_become module enables the web server to take on the access rights of a user & group, so that ~users can make available files to the web without having to make them readable by the world on the local file system. This can be useful for sites with a large number of users who want to apply file access controls among themselves. This module can also be applied to virtual hosts, directories, and locations.

When the server is configured with "User root" (see Security), then this module will behave as though the directive "MaxRequestsPerChild 1" were set for the server and "KeepAlive off" were set for the server and every virtual host where a mod_become directive appears, which essentially limits the server and those virtual hosts to HTTP/1.0 behaviour.

Therefore, for each request, this module will setuid() and setgid() the process handling the request based on one of the policies outlined below. Once the request is completed, the process will terminate. The parent server will be responsible for spawning a new child process to handle any future requests.

The source can be compiled to use seteuid() and setegid() instead of setuid() and setgid() (see the top of the Makefile), but is NOT the default. Use of seteuid() and setegid() can improve preformance by avoiding the need to kill the Apache child process between requests, but it DOES have significant security issues. For example modules like mod_php or mod_perl that provide APIs to seteuid() and setegid(), could be used to become root user once again and do what ever they want.

Essentially any module that is part of the Apache process space could revert to root user if they make use of seteuid() and setegid(). It is recommended that within mod_php, mod_perl, and other language modules that these APIs be disabled. CGIs that are launched as a separate process by Apache should, in theory, be safe, since the effective user and group ID become the real user and group ID of the child process and therefore cannot revert back to root (if I understand things correctly).

Configuration

The commands below can be added to the general Apache configuration file, httpd.conf.

User id
Context: global, < VirtualHost >

This is not part of mod_become, but is used to enable or disable mod_becomes behaviour, since mod_become can only function when "User root" is specified for the main server configuration. You need to compile Apache with -DBIG_SECURITY_HOLE in order to do this.

Become user id
Become group id
Context: server, < VirtualHost >, < Directory >, < Location >

Specify the user or group to be used by default. When the BecomePolicy is user-group, then these will always be used. If the main server configuration fails to set the default user and group, then an error 503 Service Unavailable and a error log entry may occur should these values be required.

BecomePolicy policy
Context: global, < VirtualHost >, < Directory >, < Location >

Specify the policy used to set the user & group ids of the child process:
file

The user & group of the requested file are used. Not recommend.
user-group

The default user & group specified are used. This is similar in behaviour to the Apache core directives User and Group. This is the default policy.
document-root

The user & group of the servers or virtual hosts document root is used.
parent-directory

The user & group of the requests parent directory is used. When the request corresponds to a directory, then it is used instead of its parent.

BecomeRoot boolean
Context: global, < VirtualHost >, < Directory >, < Location >

When true, mod_become will allow the process to operate as root user or group; otherwise a 403 Forbidden error and a error log entry will occur if the process attempts to become root user or group. By default this is set false.