Hi till / falko,

how about implementing apache2-mpm-itk for IPSConfig3?
Looks seen from the security side really good...

http://mpm-itk.sesse.net/
http://blog.stuartherbert.com/php/2008/04/19/using-mpm-itk-to-secure-a-shared-server/

Looks interesting. Does anybody have tested this how it performs for a larger number of vhosts e.g. 100 - 20 performance and ram wise? The project is also marked as experimental at the moment.

Implementing this in ISPConfig 3 should be easy and could be most likely done by simply changing the apache configuration template without programming.

Would it be possible to add mpm-itk support in ISPConfig 2 ?

mpm-itk sounds like a great way of dealing with PHP-security without sacrificing too much performance.

I am running mpm-itk for 8 months now and I love it, to ad mpm-itk support to ISPCONFIG it is a matter of modifying apache templates to add:

<IfModule mpm_itk_module>
AssignUserId {SUEXEC_USER} {SUEXEC_GROUP}
</IfModule>

and for domains/subdomains.

p.s. you have to install mpm-itk apache - apt-get install apache2-mpm-itk

and that will remove your current apache

Could these settings be applied during the install of ISPC3?
E.g. the installer auto-detects which mpm you have installed?

I could see adding this capability definitely, but in the case that a site has an issue with it you should be able to turn it off. This could be done safely by removing the user directives from the vhost. When mpm-itk doesn't see the directives in Debian it just defaults to www-data:www-data.
I have used it with success and have been very happy with it for the experimental sites I have been testing but I haven't actually put it into production. The advantages you would have are phenomenal not to mention web applications that implement the DAV protocol.

Could these settings be applied during the install of ISPC3?
E.g. the installer auto-detects which mpm you have installed?

I could see adding this capability definitely, but in the case that a site has an issue with it you should be able to turn it off. This could be done safely by removing the user directives from the vhost. When mpm-itk doesn't see the directives in Debian it just defaults to www-data:www-data.
I have used it with success and have been very happy with it for the experimental sites I have been testing but I haven't actually put it into production. The advantages you would have are phenomenal not to mention web applications that implement the DAV protocol.

Last night modified the template ISPCPNFIG vhost template to to add mpm-itk directives ad it works....

I noticed that you can't use shared applications, e.g phpMyAdmin. Am I wrong or is there a way around this?

I noticed that you can't use shared applications, e.g phpMyAdmin. Am I wrong or is there a way around this?

there is a way around this, I know I solved this some time ago, I think it was with phptmp dir - php_admin_value upload_tmp_dir

I am running mpm-itk for 8 months now and I love it, to ad mpm-itk support to ISPCONFIG it is a matter of modifying apache templates to add:

<IfModule mpm_itk_module>
AssignUserId {SUEXEC_USER} {SUEXEC_GROUP}
</IfModule>

and for domains/subdomains.

p.s. you have to install mpm-itk apache - apt-get install apache2-mpm-itk

and that will remove your current apache


actually for ispconfig you have to add:

<IfModule mpm_itk_module>
AssignUserId <tmpl_var name='system_user'> <tmpl_var name='system_group'>
</IfModule>

Feature request for mpm-itk - http://bugtracker.ispconfig.org/index.php?do=details&task_id=428&project=3

You'd likely also want to remove world read/write permissions from the files and remove world execute permissions from directories of the all the document roots for each vhost. I have mpm_itk working in a test environment as well, seems ok so far.

I'm glad it's easy to add this feature. I use mpm-itk for about 70 virtual hosts running on my system. It has been fairly stable, and helps secure crappy php applications from each other for different users. I have been looking at various ISP packages for a while and am hoping to test out ISPconfig 3 now.

I'll probably post a bunch of questions soon. :-)

Hi,

I have somewhat simple problem. i have x.com everyone is welcome, but when you login from a php form you will be able to see your files and folders.

each users files will be on a separate /x/y/[user id] folder.

So, on my x.com vhost directive i need to assign guest user at first then when user logs in i have to change the mpm-itk user so that user can work with his files.


Do you know how to change this user dynamically? and i have thousands of users and each login should change user to corresponding unix-user.

thanks.
D

mpm-itk only works on a per <VirtualHost> directive in the apache config.

in each <VirtualHost> you can use AssignUserID.

See the itk docs: http://mpm-itk.sesse.net/

Increase Apache Vhost Security With mpm-itk In RHEL/CentOS 5 (http://blog.lystor.org.ua/2010/04/increase-apache-vhost-security-mpm-itk.html)