mod_privsep

Privilege Separation for Apache httpd

mod_privsep wiki

mod_privsep addresses the problem of the Apache WebDAV (mod_dav) virtual server limitation of only being able to write files as a single user id (usually something like 'nobody' or 'www').

mod_privsep addresses this problem in a secure way by adding privilege separation to the Apache web server (conceptually similar to ssh privilege separation).

A privilege separated Apache can be used to allow WebDAV write access to users' home directories while both preserving and honouring unix permissions and allowing the use of unix quotas and PAM authentication.

mod_privsep is not yet a completely standalone module and is currently implemented as a set of patches on top of apache httpd. Work is underway to investigate a solution that would integrate more cleanly into apache.

Useful starting points:

• ModPrivsepDocs - documentation for mod_privsep

• ModPrivsepToDo - mod_privsep items that still need to be implemented

• ModPrivsepPatches - current mod_privsep patches

• ModDavExtendedAttributes - mod_dav_fs properties using extended attributes

• AprExtendedAttributes - portable extended attributes support for APR

• AprVirtualFileSystem - proposal for a VFS API in APR

Wiki starting points:

• RecentChanges: see where people are currently working

• WikiSandBox: feel free to change this page and experiment with editing

• FindPage: search or browse the database in various ways

• SyntaxReference: quick access to wiki syntax

• SiteNavigation: get an overview over this site and what it contains

mod_privsep is licensed under the Apache 2.0 License