4

In Apache httpd webserver there are two ways to load modules into the server, static and dynamic.

There are some modules which must be loaded static, e.q. mod_so and core.

The mod_so must be loaded to enable dynamic loading of module, but it is also needed when all modules are loaded statically.

My question is: Is it more secure loading modules such as mod_ssl static rather than dynamic?

I've configured and tested on Apache httpd-2.4 webserver.

Thomas K
  • 143
  • 6

2 Answers2

2

Static loading makes any difference for security only in situations where malicious people may alter the files that you load dynamically, at which point it is fair to say that you have bigger troubles at hand.

If we really want to talk about security in relation with static Apache modules, then we might argue the following: non-static modules make third-party packages easier. In, say, a Linux system, you would have a "main" Apache package, and you could have a module provided by another package. For instance, on a recent Ubuntu server, you may have the apache2-bin package, that provides Apache itself, and libapache2-mod-php5, that provides the PHP support as a non-static module. The PHP support can be in another package precisely because it is a non-static module.

If a security issue is found in the PHP module, then that package can be fixed (with a new, patched package) right away, without having to replace the Apache main package in any way. Thus, hopefully, the fixing process is faster: less people involved, smaller fixed packages to download... In that sense, non-static modules can be thought of as enhancing security, but that is very indirect. What improves security here is the ability to split the code base into several packages that can be upgraded separately, and non-static modules support that model.

Note that static modules could still be managed as independent packages, but this would require the package manager to recompile (or at least re-link) the Apache binary whenever a static module is upgraded. Recompilation upon upgrade is a viable strategy (that's what the *BSD systems like FreeBSD do with their "ports") but, as a rule, Linux distributions have chosen the "binary packages" path.

Tom Leek
  • 172,594
  • 29
  • 349
  • 481
0

I think there are two main security risks with dynamic linking:

  1. Module Replacement: Someone could replace a module you're loading with their own version. That perhaps logs session IDs and their corresponding session keys.
  2. Pre-loading: Someone realizes that there is a directory in the library search path that is checked before the current module is loaded. The attacker places their own version of the module in that directory, and their module is found and loaded before the original module gets a chance to be found.

However, both of these attacks would most likely require root access to perform. The first can easily be mitigated by performing some type of integrity check on the modules themselves. A program like TripWire will tell you if a file/module has been changed in any way. The second you could restrict your library paths to root owned directories, and keep the number of checked paths to a minimum.

If someone already has root access to your server, then you most likely have larger problems.

RoraΖ
  • 12,457
  • 4
  • 52
  • 84