- I've written kernel modules for Linux (2.6) and FreeBSD (5.X) to support mod_blink.
- A small patch which adds setreuid, setregid to the main exec function in APR. This secures cgi execution, and should also secure mod_rewrite external remappers.
- This patch removes the additional groups added with an initgroups call during apache startup. These are not normally needed, and are somewhat dangerous with seteuid apache daemons.
Software
Apache software and patches
mod_blink (Apache 2)
mod_blink is a seteuid/setegid switch module for apache 2,
which allows full user seperation for the entire webroot.
This module is somewhat like mod_become/mod_suid/mod_ruid, but
instead of requiring root privileges it requires a small
bit of kernel support to enable setegid/seteuid for the apache uid.
The code lives in svn.
ServerName in Errorlog (Apache 2)
This is a small patch which prepends "ServerName " to errorlog entries,
this enables splitting a combined errorlog for each VirtualHost.
Mod_Tsunami 2.0 for Apache 2
Mod_Tsunami allows request limits per vhost, this is quite useful for
large shared hosting servers, to enforce fair resource sharing.
I've ported the module to Apache 2. The main porting was easy,
but the module also needed some changes to accomodate the new
scoreboard and threading support in Apache 2. The code
is available in svn.
Vhostlog
A simple pipe/fifo logger for apache, initially created by Johan Mulder, which writes out logs to seperate
files for each vhost. This solves the filedescriptor and open
file issues one encounters when doing LogFiles per vhost
the apache way. The program is kept as simple/fast as possible,
to prevent slowdowns.
Code is available in svn.
PHP CGI (Apache 2)
In most shared hosting setups php-cgi is preferred over mod_php.
The problem is that this requires a #!/path/to/php entry in each
php script. There is a way to fix this in apache :
I have rewritten the patch for Apache 2, based on the suexec code in APR. The changes are now confined to mod_cgi, which should simplify maintenance/portability
Alias /cgi-bin/php4 /usr/local/bin/php4.cgi
Action php4 /cgi-bin/php4
AddHandler php4 .php
This causes a load of other problems ( php parses non-existant files,
discard-path fun, etc ). The better solution is to make mod_cgi handle
php scripts through extra handlers. This patch does just that for apache 1.3.Action php4 /cgi-bin/php4
AddHandler php4 .php
I have rewritten the patch for Apache 2, based on the suexec code in APR. The changes are now confined to mod_cgi, which should simplify maintenance/portability