Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
No events planned
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Next revision Both sides next revision | ||
documentation:mod_rsbac [2006/02/04 11:52] ao Add CGI |
documentation:mod_rsbac [2006/02/04 11:58] ao Alternative worker startup |
||
---|---|---|---|
Line 10: | Line 10: | ||
===== Behaviour ===== | ===== Behaviour ===== | ||
- | The Apache master process, which accepts connections, runs with role Master. This can e.g. be set as initial role on the httpd binary. The Worker-Main role is assigned to the Apache user (e.g. www-run). When a worker process gets forked from the master process, it calls setuid(www-run) and thus gets the Worker-Main role as current role. | + | The Apache master process, which accepts connections, runs with role Master. This can e.g. be set as initial role on the httpd binary. The Worker-Main role is assigned to the Apache user (e.g. www-run). When a worker process gets forked from the master process, it calls setuid(www-run) and thus gets the Worker-Main role as current role. Alternatively, the worker process can actively change from Master to Worker-Main, if set as compatible role. |
Whenever a new connection comes in, the Master process selects an idle worker process, assigns the Worker-Main role to it and hands over the connection. The worker process reads the request, actively changes its current role to the correct virtual domain role and serves the requested pages. As it cannot change back to Worker-Main by itself, there is no way to access another virtual domain without help of the master process. | Whenever a new connection comes in, the Master process selects an idle worker process, assigns the Worker-Main role to it and hands over the connection. The worker process reads the request, actively changes its current role to the correct virtual domain role and serves the requested pages. As it cannot change back to Worker-Main by itself, there is no way to access another virtual domain without help of the master process. | ||
Line 25: | Line 25: | ||
Each virtual domain can have a directory for CGIs with a force_role setting for another role per virtual domain, so that CGIs have different access rights. | Each virtual domain can have a directory for CGIs with a force_role setting for another role per virtual domain, so that CGIs have different access rights. | ||
- |