Improve security when using mpm_itk
Been a long time since I posted, hello again everyone!
mpm_itk security can be greatly improved with a couple of changes.
I suspect these changes might also help improve security of su_php and other such techniques too but I have only looked at mpm_itk so far.
The current vhost.conf.master looks like this:
So now the code running under apache can write to any file on that site.
This is not a very secure setup.
Often hackers gain control by uploading a php script then executing it.
The default ispconfig setup would allow this if you are using mpm_itk.
This is nearly perfect:
AssignUserId www-data client12
I also changed /etc/apache2/envvars
Apache runs as www-data user and client12 group
Take a directory that is chmod 750:
drwxr-x--- 2 web23 client12 4096 Dec 12 18:17 test
The directory can be read by apache because group client12 has read permissions.
But apache can not write to that directory.
No other site's apache process or ssh/ftp users can read this directory.
That directory is very isolated, only its users and its apache processes can access it.
If I want to grant apache write permissions chmod 770 works great:
drwxrwx--- 2 web23 client12 4096 Dec 12 18:17 test
Now apache, for this site, can read and write to the test directory.
The only issue is that if apache creates a file it will be owned by www-data user and group which makes it impossible for your customer to log in with FTP/SSH and delete the file.
We can ensure the group gets set right by making the group sticky:
chmod g+s test
Now our test directory looks like this:
drwxrws--- 2 web23 client12 4096 Dec 12 18:56 test
apache creates a file and a folder:
drwxrws--- 3 www-data client12 4096 Dec 12 18:46 test
-rw-rw---- 1 www-data client12 21 Dec 12 18:46 YourFile.txt
Perfect, the group has rw permissions on both.
Now your customer can also remove items created by apache.
Any chance we can get the vhost.conf.master changed and have ISPConfig also perform the chmod g+s when it creates folders?
Anyone see a problem with the above setup?
I also do not have a problem telling them to chmod the folders that need to be written by apache.
Are there any changes you would accept that would allow ISPConfig admins to choose a more restricted setup vs the current setup?
Another method would be to create a 2nd user account for each site that is in the same group, then use that user account in the vhost.conf.master.
No need to chmod g+s with this approach but how to handle quotas for this additional user is a bit of an issue.
|All times are GMT +2. The time now is 22:18.|
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.