[Mono-list] mod_mono in combination with UserDirs and mod_suid/mod_ruid
"C. Bergström"
cbergstrom at netsyncro.com
Wed Jan 31 08:56:32 EST 2007
Erik van Pienbroek wrote:
> Hi,
>
> I'm currently in the process of setting up a new webserver
> for a school. The goal of it is that every user has its own
> webspace and can put PHP scripts in it. As we want to prevent
> abuse of the server while not limiting the users in functionality
> (thus leaving the safe mode from PHP off) we have used a apache
> module called mod_ruid which alters the permissions of the
> apache process for each HTTP request so that PHP scripts are
> executed with the right permissions. We use UserDir's instead of
> vhosts in this setup as we want to keep the webserver as dynamic
> as possible without too much maintaining fuss.
>
> We have had several requests from users to add ASP.NET support
> to this webserver, but I'm having a hard time getting mod_mono
> to work. What I want is that for each request the mono/xsp process
> gets started with the permissions of the user who owns the
> ASP script. I've noticed that mod_mono uses unix domain sockets
> to send requests to a central mono/xsp process which runs with
> the permissions of the apache server. Now I'm wondering if it
> is possible to integrate xsp in mod_mono so that the right
> permissions are used for each http request.
>
> Can somebody give me some hints regarding this setup?
>
Try something like this...
vhosts.conf
MonoServerPath "/usr/lib/xsp/1.0/suid-mod-mono"
Make this a suid binary which takes the requests and drops priviledges.
(Of course doing some of the same security checks as mod_ruid) Also
you'll probably have to add apache to the users group because of the
stupid .wapi directories. Don't quote me on this, but I think we had to
patch the umask section of xsp as well, but that may have been to allow
groups of sites per user. I can not say this strongly enough that
changing MonoServerPath to a suid binary can be very risky. Make sure
whoever is writing that wrapper knows what they are doing.
vhosts.conf per vhost
<VirtualHost xxx.xxx.xxx.xxx:80>
MonoApplications "/:/sites/foo.com/www"
MonoDocumentRootDir "/sites/foo.com/www"
MonoWapiDir /sites/foo.com
Other things to watch out for in all this..
1) stale files in .wapi/*
2) <Location /mono>
Will be your friend while testing all this...
3) You may also have to modify your apache initd script
4) Creating a cron job or use daemontools to pop a specific page looking
for 500 errors and restarting (http://www.foo.com/mono?restart=XXGLOBAL)
As needed. iirc changes inside the bin/ directly aren't automagically
detected.. and causing an appdomain reload (This can really confuse
people who aren't aware of the difference in behavior from MS to Mono.
Anyone know if this was ever fixed?)
5) Double check that the *.dll files inside bin/ are not downloadable.
I am using an older version of mod_mono and xsp so there may be features
in newer versions that I'm unaware of.. (Someone correct me on all this
if Iam.)
Good luck
C.
More information about the Mono-list
mailing list