I’ve received requests to add FreeBSD 7.x support to mod_blink, my inplementation of apache user separation. The apache module works just fine on newer apache releases, but there have been many changes on the kernel side. Kernel support is needed to grant additional privileges to the apache module. The old FreeBSD kernel module is a “hack” because it modifies the seteuid/setegid syscalls by hooking them via the syscall table, which is a pretty nasty way to get things done.
Luckily things have improved on the FreeBSD side which allows for a clean inplementation. The TrustedBSD MAC framework which was imported at around 5.0 presents clean hooks to relax/restrict priviliges via loadable modules, rather similar to LSM on the Linux side.
This weekend I’ve written mac_blink which should work on FreeBSD 5+ kernels with MAC support (KERNCONF=MAC).