View Single Post
  #1  
Old 13th December 2011, 01:25
e100 e100 is offline
Junior Member
 
Join Date: Sep 2010
Posts: 12
Thanks: 1
Thanked 5 Times in 1 Post
Lightbulb Improve security when using mpm_itk

Been a long time since I posted, hello again everyone!

mpm_itk security can be greatly improved with a couple of changes.
I suspect these changes might also help improve security of su_php and other such techniques too but I have only looked at mpm_itk so far.

The current vhost.conf.master looks like this:
Code:
    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
      AssignUserId <tmpl_var name='system_user'> <tmpl_var name='system_group'>
    </IfModule>
The issue is the system_user is the same as the file owner.
So now the code running under apache can write to any file on that site.
This is not a very secure setup.

Often hackers gain control by uploading a php script then executing it.
The default ispconfig setup would allow this if you are using mpm_itk.


This is nearly perfect:
Code:
    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
      AssignUserId www-data <tmpl_var name='system_group'>
    </IfModule>
For the following examples assume a site configured like this:
AssignUserId www-data client12

I also changed /etc/apache2/envvars
Code:
umask 007
This ensures that things apache creates will have owner and group rw.

Apache runs as www-data user and client12 group

Take a directory that is chmod 750:
drwxr-x--- 2 web23 client12 4096 Dec 12 18:17 test

The directory can be read by apache because group client12 has read permissions.
But apache can not write to that directory.
No other site's apache process or ssh/ftp users can read this directory.
That directory is very isolated, only its users and its apache processes can access it.

If I want to grant apache write permissions chmod 770 works great:
drwxrwx--- 2 web23 client12 4096 Dec 12 18:17 test

Now apache, for this site, can read and write to the test directory.
The only issue is that if apache creates a file it will be owned by www-data user and group which makes it impossible for your customer to log in with FTP/SSH and delete the file.

We can ensure the group gets set right by making the group sticky:
chmod g+s test


Now our test directory looks like this:
drwxrws--- 2 web23 client12 4096 Dec 12 18:56 test

apache creates a file and a folder:
drwxrws--- 3 www-data client12 4096 Dec 12 18:46 test
-rw-rw---- 1 www-data client12 21 Dec 12 18:46 YourFile.txt

Perfect, the group has rw permissions on both.
Now your customer can also remove items created by apache.

Any chance we can get the vhost.conf.master changed and have ISPConfig also perform the chmod g+s when it creates folders?

Anyone see a problem with the above setup?
Reply With Quote
Sponsored Links