Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 13th December 2011, 01:25
e100 e100 is offline
Junior Member
 
Join Date: Sep 2010
Posts: 12
Thanks: 1
Thanked 5 Times in 1 Post
Lightbulb Improve security when using mpm_itk

Been a long time since I posted, hello again everyone!

mpm_itk security can be greatly improved with a couple of changes.
I suspect these changes might also help improve security of su_php and other such techniques too but I have only looked at mpm_itk so far.

The current vhost.conf.master looks like this:
Code:
    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
      AssignUserId <tmpl_var name='system_user'> <tmpl_var name='system_group'>
    </IfModule>
The issue is the system_user is the same as the file owner.
So now the code running under apache can write to any file on that site.
This is not a very secure setup.

Often hackers gain control by uploading a php script then executing it.
The default ispconfig setup would allow this if you are using mpm_itk.


This is nearly perfect:
Code:
    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
      AssignUserId www-data <tmpl_var name='system_group'>
    </IfModule>
For the following examples assume a site configured like this:
AssignUserId www-data client12

I also changed /etc/apache2/envvars
Code:
umask 007
This ensures that things apache creates will have owner and group rw.

Apache runs as www-data user and client12 group

Take a directory that is chmod 750:
drwxr-x--- 2 web23 client12 4096 Dec 12 18:17 test

The directory can be read by apache because group client12 has read permissions.
But apache can not write to that directory.
No other site's apache process or ssh/ftp users can read this directory.
That directory is very isolated, only its users and its apache processes can access it.

If I want to grant apache write permissions chmod 770 works great:
drwxrwx--- 2 web23 client12 4096 Dec 12 18:17 test

Now apache, for this site, can read and write to the test directory.
The only issue is that if apache creates a file it will be owned by www-data user and group which makes it impossible for your customer to log in with FTP/SSH and delete the file.

We can ensure the group gets set right by making the group sticky:
chmod g+s test


Now our test directory looks like this:
drwxrws--- 2 web23 client12 4096 Dec 12 18:56 test

apache creates a file and a folder:
drwxrws--- 3 www-data client12 4096 Dec 12 18:46 test
-rw-rw---- 1 www-data client12 21 Dec 12 18:46 YourFile.txt

Perfect, the group has rw permissions on both.
Now your customer can also remove items created by apache.

Any chance we can get the vhost.conf.master changed and have ISPConfig also perform the chmod g+s when it creates folders?

Anyone see a problem with the above setup?
Reply With Quote
Sponsored Links
 

Bookmarks

Tags
isolation, mpm_itk, permissions, security

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with ispconfig 3 staff007 Installation/Configuration 4 10th October 2011 21:17
ISPConfig 3 Security mnzava Installation/Configuration 8 8th March 2010 11:00
Access Denied by security policy Sndan General 2 4th February 2010 08:59
Unable to install ISPConfig bdonecker Installation/Configuration 21 26th May 2009 08:20
SE linux problem when security context is modified raj123 Technical 1 28th June 2006 08:57


All times are GMT +2. The time now is 21:40.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.