passenger 2.0.6 → 2.1.2

data/doc/Security of user switching support.html

@@ -1,643 +1 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
-    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
-<meta name="generator" content="AsciiDoc 8.2.7" />
-<style type="text/css">
-/* Debug borders */
-p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {
-/*
-  border: 1px solid red;
-*/
-}
-
-body {
-  margin: 1em 5% 1em 5%;
-}
-
-a {
-  color: blue;
-  text-decoration: underline;
-}
-a:visited {
-  color: fuchsia;
-}
-
-em {
-  font-style: italic;
-  color: navy;
-}
-
-strong {
-  font-weight: bold;
-  color: #083194;
-}
-
-tt {
-  color: navy;
-}
-
-h1, h2, h3, h4, h5, h6 {
-  color: #527bbd;
-  font-family: sans-serif;
-  margin-top: 1.2em;
-  margin-bottom: 0.5em;
-  line-height: 1.3;
-}
-
-h1, h2, h3 {
-  border-bottom: 2px solid silver;
-}
-h2 {
-  padding-top: 0.5em;
-}
-h3 {
-  float: left;
-}
-h3 + * {
-  clear: left;
-}
-
-div.sectionbody {
-  font-family: serif;
-  margin-left: 0;
-}
-
-hr {
-  border: 1px solid silver;
-}
-
-p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-}
-
-ul, ol, li > p {
-  margin-top: 0;
-}
-
-pre {
-  padding: 0;
-  margin: 0;
-}
-
-span#author {
-  color: #527bbd;
-  font-family: sans-serif;
-  font-weight: bold;
-  font-size: 1.1em;
-}
-span#email {
-}
-span#revision {
-  font-family: sans-serif;
-}
-
-div#footer {
-  font-family: sans-serif;
-  font-size: small;
-  border-top: 2px solid silver;
-  padding-top: 0.5em;
-  margin-top: 4.0em;
-}
-div#footer-text {
-  float: left;
-  padding-bottom: 0.5em;
-}
-div#footer-badges {
-  float: right;
-  padding-bottom: 0.5em;
-}
-
-div#preamble,
-div.tableblock, div.imageblock, div.exampleblock, div.verseblock,
-div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
-div.admonitionblock {
-  margin-right: 10%;
-  margin-top: 1.5em;
-  margin-bottom: 1.5em;
-}
-div.admonitionblock {
-  margin-top: 2.5em;
-  margin-bottom: 2.5em;
-}
-
-div.content { /* Block element content. */
-  padding: 0;
-}
-
-/* Block element titles. */
-div.title, caption.title {
-  color: #527bbd;
-  font-family: sans-serif;
-  font-weight: bold;
-  text-align: left;
-  margin-top: 1.0em;
-  margin-bottom: 0.5em;
-}
-div.title + * {
-  margin-top: 0;
-}
-
-td div.title:first-child {
-  margin-top: 0.0em;
-}
-div.content div.title:first-child {
-  margin-top: 0.0em;
-}
-div.content + div.title {
-  margin-top: 0.0em;
-}
-
-div.sidebarblock > div.content {
-  background: #ffffee;
-  border: 1px solid silver;
-  padding: 0.5em;
-}
-
-div.listingblock {
-  margin-right: 0%;
-}
-div.listingblock > div.content {
-  border: 1px solid silver;
-  background: #f4f4f4;
-  padding: 0.5em;
-}
-
-div.quoteblock {
-  padding-left: 2.0em;
-}
-div.quoteblock > div.attribution {
-  padding-top: 0.5em;
-  text-align: right;
-}
-
-div.verseblock {
-  padding-left: 2.0em;
-}
-div.verseblock > div.content {
-  white-space: pre;
-}
-div.verseblock > div.attribution {
-  padding-top: 0.75em;
-  text-align: left;
-}
-/* DEPRECATED: Pre version 8.2.7 verse style literal block. */
-div.verseblock + div.attribution {
-  text-align: left;
-}
-
-div.admonitionblock .icon {
-  vertical-align: top;
-  font-size: 1.1em;
-  font-weight: bold;
-  text-decoration: underline;
-  color: #527bbd;
-  padding-right: 0.5em;
-}
-div.admonitionblock td.content {
-  padding-left: 0.5em;
-  border-left: 2px solid silver;
-}
-
-div.exampleblock > div.content {
-  border-left: 2px solid silver;
-  padding: 0.5em;
-}
-
-div.imageblock div.content { padding-left: 0; }
-div.imageblock img { border: 1px solid silver; }
-span.image img { border-style: none; }
-
-dl {
-  margin-top: 0.8em;
-  margin-bottom: 0.8em;
-}
-dt {
-  margin-top: 0.5em;
-  margin-bottom: 0;
-  font-style: normal;
-}
-dd > *:first-child {
-  margin-top: 0.1em;
-}
-
-ul, ol {
-    list-style-position: outside;
-}
-div.olist > ol {
-  list-style-type: decimal;
-}
-div.olist2 > ol {
-  list-style-type: lower-alpha;
-}
-
-div.tableblock > table {
-  border: 3px solid #527bbd;
-}
-thead {
-  font-family: sans-serif;
-  font-weight: bold;
-}
-tfoot {
-  font-weight: bold;
-}
-
-div.hlist {
-  margin-top: 0.8em;
-  margin-bottom: 0.8em;
-}
-div.hlist td {
-  padding-bottom: 15px;
-}
-td.hlist1 {
-  vertical-align: top;
-  font-style: normal;
-  padding-right: 0.8em;
-}
-td.hlist2 {
-  vertical-align: top;
-}
-
-@media print {
-  div#footer-badges { display: none; }
-}
-
-div#toctitle {
-  color: #527bbd;
-  font-family: sans-serif;
-  font-size: 1.1em;
-  font-weight: bold;
-  margin-top: 1.0em;
-  margin-bottom: 0.1em;
-}
-
-div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
-  margin-top: 0;
-  margin-bottom: 0;
-}
-div.toclevel2 {
-  margin-left: 2em;
-  font-size: 0.9em;
-}
-div.toclevel3 {
-  margin-left: 4em;
-  font-size: 0.9em;
-}
-div.toclevel4 {
-  margin-left: 6em;
-  font-size: 0.9em;
-}
-/* Workarounds for IE6's broken and incomplete CSS2. */
-
-div.sidebar-content {
-  background: #ffffee;
-  border: 1px solid silver;
-  padding: 0.5em;
-}
-div.sidebar-title, div.image-title {
-  color: #527bbd;
-  font-family: sans-serif;
-  font-weight: bold;
-  margin-top: 0.0em;
-  margin-bottom: 0.5em;
-}
-
-div.listingblock div.content {
-  border: 1px solid silver;
-  background: #f4f4f4;
-  padding: 0.5em;
-}
-
-div.quoteblock-attribution {
-  padding-top: 0.5em;
-  text-align: right;
-}
-
-div.verseblock-content {
-  white-space: pre;
-}
-div.verseblock-attribution {
-  padding-top: 0.75em;
-  text-align: left;
-}
-
-div.exampleblock-content {
-  border-left: 2px solid silver;
-  padding-left: 0.5em;
-}
-
-/* IE6 sets dynamically generated links as visited. */
-div#toc a:visited { color: blue; }
-
-/* Because IE6 child selector is broken. */
-div.olist2 ol {
-  list-style-type: lower-alpha;
-}
-div.olist2 div.olist ol {
-  list-style-type: decimal;
-}
-</style>
-<script type="text/javascript">
-/*<![CDATA[*/
-window.onload = function(){generateToc(3)}
-/* Author: Mihai Bazon, September 2002
- * http://students.infoiasi.ro/~mishoo
- *
- * Table Of Content generator
- * Version: 0.4
- *
- * Feel free to use this script under the terms of the GNU General Public
- * License, as long as you do not remove or alter this notice.
- */
-
- /* modified by Troy D. Hanson, September 2006. License: GPL */
- /* modified by Stuart Rackham, October 2006. License: GPL */
-
-function getText(el) {
-  var text = "";
-  for (var i = el.firstChild; i != null; i = i.nextSibling) {
-    if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
-      text += i.data;
-    else if (i.firstChild != null)
-      text += getText(i);
-  }
-  return text;
-}
-
-function TocEntry(el, text, toclevel) {
-  this.element = el;
-  this.text = text;
-  this.toclevel = toclevel;
-}
-
-function tocEntries(el, toclevels) {
-  var result = new Array;
-  var re = new RegExp('[hH]([2-'+(toclevels+1)+'])');
-  // Function that scans the DOM tree for header elements (the DOM2
-  // nodeIterator API would be a better technique but not supported by all
-  // browsers).
-  var iterate = function (el) {
-    for (var i = el.firstChild; i != null; i = i.nextSibling) {
-      if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
-        var mo = re.exec(i.tagName)
-        if (mo)
-          result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
-        iterate(i);
-      }
-    }
-  }
-  iterate(el);
-  return result;
-}
-
-// This function does the work. toclevels = 1..4.
-function generateToc(toclevels) {
-  var toc = document.getElementById("toc");
-  var entries = tocEntries(document.getElementsByTagName("body")[0], toclevels);
-  for (var i = 0; i < entries.length; ++i) {
-    var entry = entries[i];
-    if (entry.element.id == "")
-      entry.element.id = "toc" + i;
-    var a = document.createElement("a");
-    a.href = "#" + entry.element.id;
-    a.appendChild(document.createTextNode(entry.text));
-    var div = document.createElement("div");
-    div.appendChild(a);
-    div.className = "toclevel" + entry.toclevel;
-    toc.appendChild(div);
-  }
-  if (entries.length == 0)
-    document.getElementById("header").removeChild(toc);
-}
-/*]]>*/
-</script>
-<title>Security of user switching support in Passenger</title>
-</head>
-<body>
-<div id="header">
-<h1>Security of user switching support in Passenger</h1>
-<div id="toc">
-  <div id="toctitle">Table of Contents</div>
-  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
-</div>
-</div>
-<h2 id="_problem_description">1. Problem description</h2>
-<div class="sectionbody">
-<div class="admonitionblock">
-<table><tr>
-<td class="icon">
-<img src="./images/icons/tip.png" alt="Tip" />
-</td>
-<td class="content">It is strongly recommended that you first read our
-<a href="Architectural%20overview.html">Architectural Overview</a>.</td>
-</tr></table>
-</div>
-<div class="para"><p>A straightforward implementation of Passenger will spawn Rails applications in
-the same user context as Apache itself. On server machines which host multiple
-websites for multiple users, this may not be desired. All Rails applications
-spawned by Passenger will be able to read and write to all directories that the
-web server can. So for example, Joe's Rails applications could read Jane's
-Rails application's <em>database.yml</em> or delete her application files. This is
-also a problem that typically plagues PHP web hosts.</p></div>
-<div class="para"><p>There are multiple ways to solve this problem. The goal of this document is to
-inform the reader about the solutions have we have analyzed, so that
-Passenger's security may be peer reviewed.</p></div>
-</div>
-<h2 id="_analysis_of_possible_solutions">2. Analysis of possible solutions</h2>
-<div class="sectionbody">
-<div class="para"><p>It seems that the only way to solve this problem on Unix, is to run each Rails
-application server as its owner's user and group. Passenger can make use of
-one of the following methods to implement this:</p></div>
-<div class="olist"><ol>
-<li>
-<p>
-Apache (and thus Passenger) must already be running as root.
-</p>
-</li>
-<li>
-<p>
-Using Apache's suEXEC.
-</p>
-</li>
-<li>
-<p>
-A setuid root wrapper application must exist, to allow non-root processes
-    to obtain root privileges (or at least, the privilege to switch user).
-</p>
-</li>
-<li>
-<p>
-For each user $X that Passenger will need to switch to, there must exist
-    a setuid $X wrapper application.
-</p>
-</li>
-<li>
-<p>
-Using <em>su</em>.
-</p>
-</li>
-<li>
-<p>
-Using <em>sudo</em>.
-</p>
-</li>
-</ol></div>
-<div class="para"><p>Let us take a look at each method in detail.</p></div>
-<h3 id="apache_root">2.1. Apache must already be running as root</h3><div style="clear:left"></div>
-<div class="para"><p>First, let us take a look at the typical Apache setup, in which Apache is bound
-to port 80, and uses the prefork MPM. Binding to any port lower than 1024
-requires root privileges, so Apache is typically run as root. This poses an
-unacceptable security risk, so Apache's prefork MPM will, upon receiving an
-HTTP request, spawn a child process with the privileges of a normal user,
-typically <em>www-data</em> or <em>nobody</em>.
-See <a href="http://httpd.apache.org/docs/2.2/mod/prefork.html">the documentation for the
-prefork MPM</a> - in particular the &#8220;User&#8221; and &#8220;Group&#8221; directives - for details.
-The process which is responsible for spawning child processes (also called the
-control process) is run as root. This is also true for
-<a href="http://httpd.apache.org/docs/2.2/mod/worker.html">the worker MPM</a>.</p></div>
-<div class="para"><p>Since Passenger has access to the control process, in the typical Apache setup,
-Passenger can already launch Rails applications as a different user. But now we
-have to ask this question:</p></div>
-<div class="exampleblock">
-<div class="exampleblock-content">
-<div class="para"><p>If Apache is not running as root, are there still any Passenger users who
-want to run Rails applications as different users?</p></div>
-</div></div>
-<div class="para"><p>If the answer is yes, then we cannot use this method.</p></div>
-<div class="para"><p>The advantage of this method is that setting up Apache to run as root is
-incredibly easy, and requires no new framework to be written. However, testing
-this method in automated unit tests will require running the unit test suit as
-root.</p></div>
-<h3 id="_using_apache_s_suexec">2.2. Using Apache's suEXEC</h3><div style="clear:left"></div>
-<div class="para"><p>Apache's <a href="http://httpd.apache.org/docs/2.0/suexec.html">suEXEC</a> allows one to
-run CGI processes as different users. But it seems that suEXEC can only be
-used for CGI, and is not a general-purpose mechanism. The
-<a href="http://alain.knaff.lu/howto/PhpSuexec/">PHP-suEXEC</a> software allows one to run
-PHP applications via suEXEC, but it requires patching suEXEC. If Passenger is
-to use suEXEC, then it is likely that we'll have to patch suEXEC. The suEXEC
-website strongly discourages patching.</p></div>
-<h3 id="_using_a_setuid_root_wrapper_application">2.3. Using a setuid root wrapper application</h3><div style="clear:left"></div>
-<div class="para"><p>If we use this method, we must be extremely careful. It must not be possible
-for arbitrary processes to gain root privileges. We want Passenger, and only
-Passenger, to be able to gain root privileges.</p></div>
-<div class="para"><p>There are multiple ways to implement this security. The first one is to use
-a password file, which only Apache and the wrapper can read, through
-the use of proper file permissions. The password file must never be world
-readable or writable.</p></div>
-<div class="para"><p>It works as follows:</p></div>
-<div class="olist"><ol>
-<li>
-<p>
-Passenger runs the wrapper.
-</p>
-</li>
-<li>
-<p>
-Passenger passes the content of the password file to the wrapper, via
-   an anonymous pipe (or some other anonymous channel, that no other
-   processes can access).
-</p>
-</li>
-<li>
-<p>
-The wrapper checks whether the passed content is the same as what is in
-   the password file. If it is, then it is proven that whatever application
-   ran the wrapper has read access to the password file, and thus is authorized
-   to use the wrapper.
-</p>
-</li>
-</ol></div>
-<div class="para"><p>An obvious problem that arises is: how does the wrapper locate its own password
-file? We obviously do not want to be able to specify the password filename as
-an argument to the wrapper: that would defeat the point of the password file.
-The solution is that the filename is to be hardcoded into the binary during
-compile time.</p></div>
-<div class="para"><p>Another way to implement security is to use a whitelist of users that are
-allowed to use the wrapper. The wrapper can then check whether the calling
-process's user is in the whitelist.</p></div>
-<div class="para"><p>Writing a wrapper is not too hard. Furthermore, unit tests do not have to be
-run as root, in contrast to the run-Apache-as-root method.</p></div>
-<h3 id="setuid_root">2.4. Using a setuid $X wrapper application</h3><div style="clear:left"></div>
-<div class="para"><p>A setuid $X wrapper will work in a fashion similar to the setuid root wrapper,
-i.e. it will use a password file for authorization.</p></div>
-<div class="para"><p>Passenger does not spawn Rails applications itself, but does so via the spawn
-server. This spawn server is also responsible for preloading the Rails
-framework and the Rails application code, in order to speed up the spawning
-of Rails applications. See the design document of the spawn server for details.
-The spawn server never calls <tt>exec()</tt>: doing so will make preloading useless.
-If Passenger is to use a setuid $X wrapper, then it must start the spawn
-server via the wrapper. The spawn server itself cannot use the wrapper.</p></div>
-<div class="para"><p>However, doing so will make preloading less efficient. Passenger will be forced
-to run a spawn server for each user. The different spawn servers do not share
-memory with each other, so a lot of memory is wasted compared to the other
-methods.</p></div>
-<div class="para"><p>Implementing this will also take more work. One has to create a different
-wrapper for each user, and to install it.</p></div>
-<h3 id="_using_em_su_em">2.5. Using <em>su</em></h3><div style="clear:left"></div>
-<div class="para"><p>The standard Unix <em>su</em> tool asks for the root password. It's a bad idea for
-Apache to know the root password, so using <em>su</em> is not a viable alternative.</p></div>
-<h3 id="_using_em_sudo_em">2.6. Using <em>sudo</em></h3><div style="clear:left"></div>
-<div class="para"><p>It might be possible to use the <em>sudo</em> utility. sudo can be configured in
-such a way that the user Apache runs as can use sudo without having to enter a
-password.</p></div>
-<div class="para"><p>However, Passenger uses an anonymous communication channel (an unnamed Unix
-socket) to communicate with the spawn server. sudo seems to close all file
-descriptors before executing an application, so Passenger will have to
-communicate with the spawn server via a non-anonymous channel, such as a named
-Unix socket. Because other processes can access this channel, it can introduce
-potential security problems. Note that passing information via program arguments
-is not secure: it is possible to view that information with tools like <em>ps</em>,
-or (on Linux) by reading the file <tt>/proc/$PID/cmdline</tt>.</p></div>
-<div class="para"><p>So it seems <em>sudo</em> is not a viable alternative.</p></div>
-<h3 id="_common_security_issues">2.7. Common security issues</h3><div style="clear:left"></div>
-<div class="para"><p>Whatever method Passenger will use, the following security principles must be
-honored:</p></div>
-<div class="ilist"><ul>
-<li>
-<p>
-Rails applications must never be run as root.
-</p>
-</li>
-</ul></div>
-<div class="para"><p>It might also be worthy to look into suEXEC's security model for inspiration.</p></div>
-<div class="para"><p>Also, the following questions remain:</p></div>
-<div class="ilist"><ul>
-<li>
-<p>
-Is there a need for a user whitelist/blacklist? That is, is there a need for
-   the ability to restrict the set of users that Passenger can switch to?
-</p>
-</li>
-</ul></div>
-</div>
-<h2 id="_chosen_solution">3. Chosen solution</h2>
-<div class="sectionbody">
-<div class="para"><p>Running Apache as root and writing a setuid root wrapper are the main
-contestants. The former is preferred, because it's easier to implement.</p></div>
-<div class="para"><p>We have had some conversations with people on the IRC channel #rubyonrails.
-Among those people, nobody has ever run Apache as non-root. Because of this
-we have chosen to implement the <a href="#apache_root">Running Apache as root</a>
-solution, until a significant number of users request us to implement the
-<a href="#setuid_root">setuid root wrapper</a> solution.</p></div>
-<div class="para"><p>Please read <a href="rdoc/index.html">the Ruby API documentation</a> &#8212; in particular
-that of the <em>ApplicationSpawner</em> class &#8212; for implementation details. But to
-make a long story short: it will switch to the owner of the file
-<em>config/environment.rb</em>. User whitelisting/blacklisting is currently not
-implemented. We rely on the system administrator to set the correct owner
-on that file.</p></div>
-<div class="para"><p>We have also not implemented suEXEC's security model. suEXEC's model is quite
-paranoid, and although paranoia is good to a certain extend, it can be in the
-way of usability while proving little extra security. We are not entirely
-convinced that implementing suEXEC's full security model will provide
-significant benefits, but if you have good reasons to think otherwise, please
-feel free to discuss it with us.</p></div>
-</div>
-<div id="footer">
-<div id="footer-text">
-Last updated 2008-12-01 14:21:18 CEST
-</div>
-</div>
-</body>
-</html>
+asciidoc required to build docs