<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8" />
<meta name="generator" content="AsciiDoc 8.6.1" />
<title>Security of user switching support in Passenger</title>
<style type="text/css">
/* Debug borders */
p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {
/*
border: 1px solid red;
*/
}
body {
margin: 1em 5% 1em 5%;
}
a {
color: blue;
text-decoration: underline;
}
a:visited {
color: fuchsia;
}
em {
font-style: italic;
color: navy;
}
strong {
font-weight: bold;
color: #083194;
}
tt {
color: navy;
}
h1, h2, h3, h4, h5, h6 {
color: #527bbd;
font-family: sans-serif;
margin-top: 1.2em;
margin-bottom: 0.5em;
line-height: 1.3;
}
h1, h2, h3 {
border-bottom: 2px solid silver;
}
h2 {
padding-top: 0.5em;
}
h3 {
float: left;
}
h3 + * {
clear: left;
}
div.sectionbody {
font-family: serif;
margin-left: 0;
}
hr {
border: 1px solid silver;
}
p {
margin-top: 0.5em;
margin-bottom: 0.5em;
}
ul, ol, li > p {
margin-top: 0;
}
pre {
padding: 0;
margin: 0;
}
span#author {
color: #527bbd;
font-family: sans-serif;
font-weight: bold;
font-size: 1.1em;
}
span#email {
}
span#revnumber, span#revdate, span#revremark {
font-family: sans-serif;
}
div#footer {
font-family: sans-serif;
font-size: small;
border-top: 2px solid silver;
padding-top: 0.5em;
margin-top: 4.0em;
}
div#footer-text {
float: left;
padding-bottom: 0.5em;
}
div#footer-badges {
float: right;
padding-bottom: 0.5em;
}
div#preamble {
margin-top: 1.5em;
margin-bottom: 1.5em;
}
div.tableblock, div.imageblock, div.exampleblock, div.verseblock,
div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
div.admonitionblock {
margin-top: 1.0em;
margin-bottom: 1.5em;
}
div.admonitionblock {
margin-top: 2.0em;
margin-bottom: 2.0em;
margin-right: 10%;
color: #606060;
}
div.content { /* Block element content. */
padding: 0;
}
/* Block element titles. */
div.title, caption.title {
color: #527bbd;
font-family: sans-serif;
font-weight: bold;
text-align: left;
margin-top: 1.0em;
margin-bottom: 0.5em;
}
div.title + * {
margin-top: 0;
}
td div.title:first-child {
margin-top: 0.0em;
}
div.content div.title:first-child {
margin-top: 0.0em;
}
div.content + div.title {
margin-top: 0.0em;
}
div.sidebarblock > div.content {
background: #ffffee;
border: 1px solid silver;
padding: 0.5em;
}
div.listingblock > div.content {
border: 1px solid silver;
background: #f4f4f4;
padding: 0.5em;
}
div.quoteblock, div.verseblock {
padding-left: 1.0em;
margin-left: 1.0em;
margin-right: 10%;
border-left: 5px solid #dddddd;
color: #777777;
}
div.quoteblock > div.attribution {
padding-top: 0.5em;
text-align: right;
}
div.verseblock > pre.content {
font-family: inherit;
}
div.verseblock > div.attribution {
padding-top: 0.75em;
text-align: left;
}
/* DEPRECATED: Pre version 8.2.7 verse style literal block. */
div.verseblock + div.attribution {
text-align: left;
}
div.admonitionblock .icon {
vertical-align: top;
font-size: 1.1em;
font-weight: bold;
text-decoration: underline;
color: #527bbd;
padding-right: 0.5em;
}
div.admonitionblock td.content {
padding-left: 0.5em;
border-left: 3px solid #dddddd;
}
div.exampleblock > div.content {
border-left: 3px solid #dddddd;
padding-left: 0.5em;
}
div.imageblock div.content { padding-left: 0; }
span.image img { border-style: none; }
a.image:visited { color: white; }
dl {
margin-top: 0.8em;
margin-bottom: 0.8em;
}
dt {
margin-top: 0.5em;
margin-bottom: 0;
font-style: normal;
color: navy;
}
dd > *:first-child {
margin-top: 0.1em;
}
ul, ol {
list-style-position: outside;
}
ol.arabic {
list-style-type: decimal;
}
ol.loweralpha {
list-style-type: lower-alpha;
}
ol.upperalpha {
list-style-type: upper-alpha;
}
ol.lowerroman {
list-style-type: lower-roman;
}
ol.upperroman {
list-style-type: upper-roman;
}
div.compact ul, div.compact ol,
div.compact p, div.compact p,
div.compact div, div.compact div {
margin-top: 0.1em;
margin-bottom: 0.1em;
}
div.tableblock > table {
border: 3px solid #527bbd;
}
thead, p.table.header {
font-family: sans-serif;
font-weight: bold;
color: #527bbd;
}
tfoot {
font-weight: bold;
}
td > div.verse {
white-space: pre;
}
p.table {
margin-top: 0;
}
/* Because the table frame attribute is overriden by CSS in most browsers. */
div.tableblock > table[frame="void"] {
border-style: none;
}
div.tableblock > table[frame="hsides"] {
border-left-style: none;
border-right-style: none;
}
div.tableblock > table[frame="vsides"] {
border-top-style: none;
border-bottom-style: none;
}
div.hdlist {
margin-top: 0.8em;
margin-bottom: 0.8em;
}
div.hdlist tr {
padding-bottom: 15px;
}
dt.hdlist1.strong, td.hdlist1.strong {
font-weight: bold;
}
td.hdlist1 {
vertical-align: top;
font-style: normal;
padding-right: 0.8em;
color: navy;
}
td.hdlist2 {
vertical-align: top;
}
div.hdlist.compact tr {
margin: 0;
padding-bottom: 0;
}
.comment {
background: yellow;
}
.footnote, .footnoteref {
font-size: 0.8em;
}
span.footnote, span.footnoteref {
vertical-align: super;
}
#footnotes {
margin: 20px 0 20px 0;
padding: 7px 0 0 0;
}
#footnotes div.footnote {
margin: 0 0 5px 0;
}
#footnotes hr {
border: none;
border-top: 1px solid silver;
height: 1px;
text-align: left;
margin-left: 0;
width: 20%;
min-width: 100px;
}
div.colist td {
padding-right: 0.5em;
padding-bottom: 0.3em;
vertical-align: top;
}
div.colist td img {
margin-top: 0.3em;
}
@media print {
div#footer-badges { display: none; }
}
div#toc {
margin-bottom: 2.5em;
}
div#toctitle {
color: #527bbd;
font-family: sans-serif;
font-size: 1.1em;
font-weight: bold;
margin-top: 1.0em;
margin-bottom: 0.1em;
}
div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
margin-top: 0;
margin-bottom: 0;
}
div.toclevel2 {
margin-left: 2em;
font-size: 0.9em;
}
div.toclevel3 {
margin-left: 4em;
font-size: 0.9em;
}
div.toclevel4 {
margin-left: 6em;
font-size: 0.9em;
}
</style>
<script type="text/javascript">
/*<+'])');
// Function that scans the DOM tree for header elements (the DOM2
// nodeIterator API would be a better technique but not supported by all
// browsers).
var iterate = function (el) {
for (var i = el.firstChild; i != null; i = i.nextSibling) {
if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
var mo = re.exec(i.tagName);
if (mo && (i.getAttribute("class") || i.getAttribute("className")) != "float") {
result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
}
iterate(i);
}
}
}
iterate(el);
return result;
}
var toc = document.getElementById("toc");
var entries = tocEntries(document.getElementById("content"), toclevels);
for (var i = 0; i < entries.length; ++i) {
var entry = entries[i];
if (entry.element.id == "")
entry.element.id = "_toc_" + i;
var a = document.createElement("a");
a.href = "#" + entry.element.id;
a.appendChild(document.createTextNode(entry.text));
var div = document.createElement("div");
div.appendChild(a);
div.className = "toclevel" + entry.toclevel;
toc.appendChild(div);
}
if (entries.length == 0)
toc.parentNode.removeChild(toc);
},
/////////////////////////////////////////////////////////////////////
// Footnotes generator
/////////////////////////////////////////////////////////////////////
/* Based on footnote generation code from:
* http://www.brandspankingnew.net/archive/2005/07/format_footnote.html
*/
footnotes: function () {
var cont = document.getElementById("content");
var noteholder = document.getElementById("footnotes");
var spans = cont.getElementsByTagName("span");
var refs = {};
var n = 0;
for (i=0; i<spans.length; i++) {
if (spans[i].className == "footnote") {
n++;
// Use [\s\S] in place of . so multi-line matches work.
// Because JavaScript has no s (dotall) regex flag.
note = spans[i].innerHTML.match(/\s*\[([\s\S]*)]\s*/)[1];
noteholder.innerHTML +=
"<div class='footnote' id='_footnote_" + n + "'>" +
"<a href='#_footnoteref_" + n + "' title='Return to text'>" +
n + "</a>. " + note + "</div>";
spans[i].innerHTML =
"[<a id='_footnoteref_" + n + "' href='#_footnote_" + n +
"' title='View footnote' class='footnote'>" + n + "</a>]";
var id =spans[i].getAttribute("id");
if (id != null) refs["#"+id] = n;
}
}
if (n == 0)
noteholder.parentNode.removeChild(noteholder);
else {
// Process footnoterefs.
for (i=0; i<spans.length; i++) {
if (spans[i].className == "footnoteref") {
var href = spans[i].getElementsByTagName("a")[0].getAttribute("href");
href = href.match(/#.*/)[0]; // Because IE return full URL.
n = refs[href];
spans[i].innerHTML =
"[<a href='#_footnote_" + n +
"' title='View footnote' class='footnote'>" + n + "</a>]";
}
}
}
}
}
/*]]>*/
</script>
</head>
<body class="article">
<div id="header">
<h1>Security of user switching support in Passenger</h1>
<div id="toc">
<div id="toctitle">Table of Contents</div>
<noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
</div>
</div>
<div id="content">
<div class="sect1">
<h2 id="_problem_description">1. Problem description</h2>
<div class="sectionbody">
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/tip.png" alt="Tip" />
</td>
<td class="content">It is strongly recommended that you first read our
<a href="Architectural%20overview.html">Architectural Overview</a>.</td>
</tr></table>
</div>
<div class="paragraph"><p>A straightforward implementation of Passenger will spawn Rails applications in
the same user context as Apache itself. On server machines which host multiple
websites for multiple users, this may not be desired. All Rails applications
spawned by Passenger will be able to read and write to all directories that the
web server can. So for example, Joe’s Rails applications could read Jane’s
Rails application’s <em>database.yml</em> or delete her application files. This is
also a problem that typically plagues PHP web hosts.</p></div>
<div class="paragraph"><p>There are multiple ways to solve this problem. The goal of this document is to
inform the reader about the solutions have we have analyzed, so that
Passenger’s security may be peer reviewed.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_analysis_of_possible_solutions">2. Analysis of possible solutions</h2>
<div class="sectionbody">
<div class="paragraph"><p>It seems that the only way to solve this problem on Unix, is to run each Rails
application server as its owner’s user and group. Passenger can make use of
one of the following methods to implement this:</p></div>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
Apache (and thus Passenger) must already be running as root.
</p>
</li>
<li>
<p>
Using Apache’s suEXEC.
</p>
</li>
<li>
<p>
A setuid root wrapper application must exist, to allow non-root processes
to obtain root privileges (or at least, the privilege to switch user).
</p>
</li>
<li>
<p>
For each user $X that Passenger will need to switch to, there must exist
a setuid $X wrapper application.
</p>
</li>
<li>
<p>
Using <em>su</em>.
</p>
</li>
<li>
<p>
Using <em>sudo</em>.
</p>
</li>
</ol></div>
<div class="paragraph"><p>Let us take a look at each method in detail.</p></div>
<div class="sect2">
<h3 id="apache_root">2.1. Apache must already be running as root</h3>
<div class="paragraph"><p>First, let us take a look at the typical Apache setup, in which Apache is bound
to port 80, and uses the prefork MPM. Binding to any port lower than 1024
requires root privileges, so Apache is typically run as root. This poses an
unacceptable security risk, so Apache’s prefork MPM will, upon receiving an
HTTP request, spawn a child process with the privileges of a normal user,
typically <em>www-data</em> or <em>nobody</em>.
See <a href="http://httpd.apache.org/docs/2.2/mod/prefork.html">the documentation for the
prefork MPM</a> - in particular the “User” and “Group” directives - for details.
The process which is responsible for spawning child processes (also called the
control process) is run as root. This is also true for
<a href="http://httpd.apache.org/docs/2.2/mod/worker.html">the worker MPM</a>.</p></div>
<div class="paragraph"><p>Since Passenger has access to the control process, in the typical Apache setup,
Passenger can already launch Rails applications as a different user. But now we
have to ask this question:</p></div>
<div class="exampleblock">
<div class="content">
<div class="paragraph"><p>If Apache is not running as root, are there still any Passenger users who
want to run Rails applications as different users?</p></div>
</div></div>
<div class="paragraph"><p>If the answer is yes, then we cannot use this method.</p></div>
<div class="paragraph"><p>The advantage of this method is that setting up Apache to run as root is
incredibly easy, and requires no new framework to be written. However, testing
this method in automated unit tests will require running the unit test suit as
root.</p></div>
</div>
<div class="sect2">
<h3 id="_using_apache_8217_s_suexec">2.2. Using Apache’s suEXEC</h3>
<div class="paragraph"><p>Apache’s <a href="http://httpd.apache.org/docs/2.0/suexec.html">suEXEC</a> allows one to
run CGI processes as different users. But it seems that suEXEC can only be
used for CGI, and is not a general-purpose mechanism. The
<a href="http://alain.knaff.lu/howto/PhpSuexec/">PHP-suEXEC</a> software allows one to run
PHP applications via suEXEC, but it requires patching suEXEC. If Passenger is
to use suEXEC, then it is likely that we’ll have to patch suEXEC. The suEXEC
website strongly discourages patching.</p></div>
</div>
<div class="sect2">
<h3 id="_using_a_setuid_root_wrapper_application">2.3. Using a setuid root wrapper application</h3>
<div class="paragraph"><p>If we use this method, we must be extremely careful. It must not be possible
for arbitrary processes to gain root privileges. We want Passenger, and only
Passenger, to be able to gain root privileges.</p></div>
<div class="paragraph"><p>There are multiple ways to implement this security. The first one is to use
a password file, which only Apache and the wrapper can read, through
the use of proper file permissions. The password file must never be world
readable or writable.</p></div>
<div class="paragraph"><p>It works as follows:</p></div>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
Passenger runs the wrapper.
</p>
</li>
<li>
<p>
Passenger passes the content of the password file to the wrapper, via
an anonymous pipe (or some other anonymous channel, that no other
processes can access).
</p>
</li>
<li>
<p>
The wrapper checks whether the passed content is the same as what is in
the password file. If it is, then it is proven that whatever application
ran the wrapper has read access to the password file, and thus is authorized
to use the wrapper.
</p>
</li>
</ol></div>
<div class="paragraph"><p>An obvious problem that arises is: how does the wrapper locate its own password
file? We obviously do not want to be able to specify the password filename as
an argument to the wrapper: that would defeat the point of the password file.
The solution is that the filename is to be hardcoded into the binary during
compile time.</p></div>
<div class="paragraph"><p>Another way to implement security is to use a whitelist of users that are
allowed to use the wrapper. The wrapper can then check whether the calling
process’s user is in the whitelist.</p></div>
<div class="paragraph"><p>Writing a wrapper is not too hard. Furthermore, unit tests do not have to be
run as root, in contrast to the run-Apache-as-root method.</p></div>
</div>
<div class="sect2">
<h3 id="setuid_root">2.4. Using a setuid $X wrapper application</h3>
<div class="paragraph"><p>A setuid $X wrapper will work in a fashion similar to the setuid root wrapper,
i.e. it will use a password file for authorization.</p></div>
<div class="paragraph"><p>Passenger does not spawn Rails applications itself, but does so via the spawn
server. This spawn server is also responsible for preloading the Rails
framework and the Rails application code, in order to speed up the spawning
of Rails applications. See the design document of the spawn server for details.
The spawn server never calls <tt>exec()</tt>: doing so will make preloading useless.
If Passenger is to use a setuid $X wrapper, then it must start the spawn
server via the wrapper. The spawn server itself cannot use the wrapper.</p></div>
<div class="paragraph"><p>However, doing so will make preloading less efficient. Passenger will be forced
to run a spawn server for each user. The different spawn servers do not share
memory with each other, so a lot of memory is wasted compared to the other
methods.</p></div>
<div class="paragraph"><p>Implementing this will also take more work. One has to create a different
wrapper for each user, and to install it.</p></div>
</div>
<div class="sect2">
<h3 id="_using_em_su_em">2.5. Using <em>su</em></h3>
<div class="paragraph"><p>The standard Unix <em>su</em> tool asks for the root password. It’s a bad idea for
Apache to know the root password, so using <em>su</em> is not a viable alternative.</p></div>
</div>
<div class="sect2">
<h3 id="_using_em_sudo_em">2.6. Using <em>sudo</em></h3>
<div class="paragraph"><p>It might be possible to use the <em>sudo</em> utility. sudo can be configured in
such a way that the user Apache runs as can use sudo without having to enter a
password.</p></div>
<div class="paragraph"><p>However, Passenger uses an anonymous communication channel (an unnamed Unix
socket) to communicate with the spawn server. sudo seems to close all file
descriptors before executing an application, so Passenger will have to
communicate with the spawn server via a non-anonymous channel, such as a named
Unix socket. Because other processes can access this channel, it can introduce
potential security problems. Note that passing information via program arguments
is not secure: it is possible to view that information with tools like <em>ps</em>,
or (on Linux) by reading the file <tt>/proc/$PID/cmdline</tt>.</p></div>
<div class="paragraph"><p>So it seems <em>sudo</em> is not a viable alternative.</p></div>
</div>
<div class="sect2">
<h3 id="_common_security_issues">2.7. Common security issues</h3>
<div class="paragraph"><p>Whatever method Passenger will use, the following security principles must be
honored:</p></div>
<div class="ulist"><ul>
<li>
<p>
Rails applications must never be run as root.
</p>
</li>
</ul></div>
<div class="paragraph"><p>It might also be worthy to look into suEXEC’s security model for inspiration.</p></div>
<div class="paragraph"><p>Also, the following questions remain:</p></div>
<div class="ulist"><ul>
<li>
<p>
Is there a need for a user whitelist/blacklist? That is, is there a need for
the ability to restrict the set of users that Passenger can switch to?
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_chosen_solution">3. Chosen solution</h2>
<div class="sectionbody">
<div class="paragraph"><p>Running Apache as root and writing a setuid root wrapper are the main
contestants. The former is preferred, because it’s easier to implement.</p></div>
<div class="paragraph"><p>We have had some conversations with people on the IRC channel #rubyonrails.
Among those people, nobody has ever run Apache as non-root. Because of this
we have chosen to implement the <a href="#apache_root">Running Apache as root</a>
solution, until a significant number of users request us to implement the
<a href="#setuid_root">setuid root wrapper</a> solution.</p></div>
<div class="paragraph"><p>Please read <a href="rdoc/index.html">the Ruby API documentation</a> — in particular
that of the <em>ApplicationSpawner</em> class — for implementation details. But to
make a long story short: it will switch to the owner of the file
<em>config/environment.rb</em>. User whitelisting/blacklisting is currently not
implemented. We rely on the system administrator to set the correct owner
on that file.</p></div>
<div class="paragraph"><p>We have also not implemented suEXEC’s security model. suEXEC’s model is quite
paranoid, and although paranoia is good to a certain extend, it can be in the
way of usability while proving little extra security. We are not entirely
convinced that implementing suEXEC’s full security model will provide
significant benefits, but if you have good reasons to think otherwise, please
feel free to discuss it with us.</p></div>
</div>
</div>
</div>
<div id="footnotes"><hr /></div>
<div id="footer">
<div id="footer-text">
Last updated 2010-09-25 20:09:08 CEST
</div>
</div>
</body>
</html>