Apache RSBAC module

This is the proposed RC logic and usage of the new Apache module mod_rsbac for virtual servers (also works with directories).

The target is to have completely separated virtual domains (or directories) without the overhead of forking new processes and/or executing a helper program like suexec. As long as a worker process serves for one virtual server, it cannot access anything from another virtual server.

We have two basic roles, Master and Worker-Main, and one role per virtual server. The Master role has ASSIGN right to Worker-Main and all virtual domain roles. Worker-Main is compatible with all virtual domain roles. The data area of each virtual server has its own type, which can only be accessed by this virtual server's role and not by Worker-Main or Master.

The Apache master process, which accepts connections, runs with role Master. This can e.g. be set as initial role on the httpd binary. The Worker-Main role is assigned to the Apache user (e.g. www-run). When a worker process gets forked from the master process, it calls setuid(www-run) and thus gets the Worker-Main role as current role. Alternatively, the worker process can actively change from Master to Worker-Main, if set as compatible role.

Whenever a new connection comes in, the Master process selects an idle worker process, assigns the Worker-Main role to it and hands over the connection. The worker process reads the request, actively changes its current role to the correct virtual domain role and serves the requested pages. As it cannot change back to Worker-Main by itself, there is no way to access another virtual domain without help of the master process.

Each virtual server has its own upload user, which gets a separate role as def_role. All these users are in the same Linux group as the Webserver, this is important for PHP safe mode and write accesses.

Pages, which must be writable for the Webserver (e.g. for Wikis), get group write right. The virtual server role either needs write access to the virtual server data type or another type per virtual server is introduced for Webserver write accesses. In this case, the upload user role must have ASSIGN right to both types to choose.

Each virtual domain can have a directory for CGIs with a force_role setting for another role per virtual domain, so that CGIs have different access rights.