1

How can apache's children, which are running as a non-root user, access the private key (used with the SSL certificate) which only root should have access to?

Indeed, when Apache is starting, only the main process is still running as root. Threads are being run as a non-root user. Normally, when following the security guides, your private key's owner is root and its permissions are 600.

So how are those children able to establish an SSL connection? Is there shared memory between the main process and children, it there a temporary file being used or is the main process responsible for the establishment of the SSL connection?

Also (this is a bit off-topic but it's still interesting) does this mean that being able to compromise a web-server means being able to compromise the private key? For example, let's say we are able to get access to a PHP webshell (as PHP and Apache often share the same user), does this mean we could retrieve (one way or another) the private keys?

Thanks.

Pierre
  • 23
  • 5
  • for your additional question: once one user is compromised, there most likely will be some exploit which can give that user increased privileges, resulting in a "full" server owner change. So always expect the worse.. Once there is a user compromise, rebuild. – Dennis Nolte Sep 15 '14 at 12:18
  • @DennisNolte: I totally agree with you. Still, I was wondering if just compromising the server would be enough to access the private key without any privilege escalation. – Pierre Sep 15 '14 at 12:25

2 Answers2

2

Root rights are also required to bind to the privileged TCP ports 80 and 443, opening the log files, and not just for the right to read configuration files including the public and private keys.

From the Apache manual:

... it is necessary to have root privileges in order to start apache, so that it can bind to this privileged port. Once the server has started and performed a few preliminary activities such as opening its log files, it will launch several child processes which do the work of listening for and answering requests from clients. The main httpd process continues to run as the root user, but the child processes run as a less privileged user. This is controlled by the selected Multi-Processing Module.

With regards to the SSL public and private key files, AFAIK they are only read upon startup anyway, after which they are in memory and remain available for the duration the server remains running. (See this question)

That was why after heartbleed, which exposed random pieces of web server memory, you also needed to generate new SSL certificates and simply patching wasn't enough. With sufficient time and a bit of luck heartbleed could have exposed the memory fragments containing your SSL private key.

Community
  • 1
HBruijn
  • 72,524
  • 21
  • 127
  • 192
0

IMHO the children do not deal with them at all. As the root process is taking all TCP connections - and forwarding the request and repsonse to and from the child handling it - the child never has to deal with the certificate. All it has to do is to deal with the data piped from the parent process - and rehtrn the output.

It never establishes a ssl connection to start with.

TomTom
  • 50,857
  • 7
  • 52
  • 134