Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 13th December 2011, 02:25
e100 e100 is offline
Junior Member
 
Join Date: Sep 2010
Posts: 12
Thanks: 1
Thanked 5 Times in 1 Post
Lightbulb Improve security when using mpm_itk

Been a long time since I posted, hello again everyone!

mpm_itk security can be greatly improved with a couple of changes.
I suspect these changes might also help improve security of su_php and other such techniques too but I have only looked at mpm_itk so far.

The current vhost.conf.master looks like this:
Code:
    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
      AssignUserId <tmpl_var name='system_user'> <tmpl_var name='system_group'>
    </IfModule>
The issue is the system_user is the same as the file owner.
So now the code running under apache can write to any file on that site.
This is not a very secure setup.

Often hackers gain control by uploading a php script then executing it.
The default ispconfig setup would allow this if you are using mpm_itk.


This is nearly perfect:
Code:
    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
      AssignUserId www-data <tmpl_var name='system_group'>
    </IfModule>
For the following examples assume a site configured like this:
AssignUserId www-data client12

I also changed /etc/apache2/envvars
Code:
umask 007
This ensures that things apache creates will have owner and group rw.

Apache runs as www-data user and client12 group

Take a directory that is chmod 750:
drwxr-x--- 2 web23 client12 4096 Dec 12 18:17 test

The directory can be read by apache because group client12 has read permissions.
But apache can not write to that directory.
No other site's apache process or ssh/ftp users can read this directory.
That directory is very isolated, only its users and its apache processes can access it.

If I want to grant apache write permissions chmod 770 works great:
drwxrwx--- 2 web23 client12 4096 Dec 12 18:17 test

Now apache, for this site, can read and write to the test directory.
The only issue is that if apache creates a file it will be owned by www-data user and group which makes it impossible for your customer to log in with FTP/SSH and delete the file.

We can ensure the group gets set right by making the group sticky:
chmod g+s test


Now our test directory looks like this:
drwxrws--- 2 web23 client12 4096 Dec 12 18:56 test

apache creates a file and a folder:
drwxrws--- 3 www-data client12 4096 Dec 12 18:46 test
-rw-rw---- 1 www-data client12 21 Dec 12 18:46 YourFile.txt

Perfect, the group has rw permissions on both.
Now your customer can also remove items created by apache.

Any chance we can get the vhost.conf.master changed and have ISPConfig also perform the chmod g+s when it creates folders?

Anyone see a problem with the above setup?
Reply With Quote
Sponsored Links
  #2  
Old 13th December 2011, 07:30
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,733
Thanks: 840
Thanked 5,597 Times in 4,407 Posts
Default

Quote:
Any chance we can get the vhost.conf.master changed and have ISPConfig also perform the chmod g+s when it creates folders?
Your setup is nice for websites that are not maintained by the customer, but its not a option for the majority of web hosters. So its unlikely that we will implement such a permission scheme as default as most customers that bought a webspace will report their web as broken if they run a php script and this script cant write to the web folder and also your setup disables the update functions in most cms systems. And running a joomla/wordpress/typo3/Drupal without updates is not a good idea.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 13th December 2011, 16:22
e100 e100 is offline
Junior Member
 
Join Date: Sep 2010
Posts: 12
Thanks: 1
Thanked 5 Times in 1 Post
 
Default

Quote:
Originally Posted by till View Post
Your setup is nice for websites that are not maintained by the customer, but its not a option for the majority of web hosters. So its unlikely that we will implement such a permission scheme as default as most customers that bought a webspace will report their web as broken if they run a php script and this script cant write to the web folder and also your setup disables the update functions in most cms systems. And running a joomla/wordpress/typo3/Drupal without updates is not a good idea.
You do have a good point, that the current setup is easier for customers.
I also do not have a problem telling them to chmod the folders that need to be written by apache.

Are there any changes you would accept that would allow ISPConfig admins to choose a more restricted setup vs the current setup?

Another method would be to create a 2nd user account for each site that is in the same group, then use that user account in the vhost.conf.master.
Code:
    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
      AssignUserId <tmpl_var name='system_user'>_web <tmpl_var name='system_group'>
    </IfModule>
If the 2nd user with "_web" appended was always created, it would cause no harm by those who choose not to use it. For those of us who choose to use it we would only need to edit vhost.conf.master.
No need to chmod g+s with this approach but how to handle quotas for this additional user is a bit of an issue.
Reply With Quote
Reply

Bookmarks

Tags
isolation, mpm_itk, permissions, security

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with ispconfig 3 staff007 Installation/Configuration 4 10th October 2011 22:17
ISPConfig 3 Security mnzava Installation/Configuration 8 8th March 2010 12:00
Access Denied by security policy Sndan General 2 4th February 2010 09:59
Unable to install ISPConfig bdonecker Installation/Configuration 21 26th May 2009 09:20
SE linux problem when security context is modified raj123 Technical 1 28th June 2006 09:57


All times are GMT +2. The time now is 05:25.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.