Improve security when using mpm_itk

Discussion in 'Installation/Configuration' started by e100, Dec 13, 2011.

  1. e100

    e100 New Member

    Been a long time since I posted, hello again everyone!

    mpm_itk security can be greatly improved with a couple of changes.
    I suspect these changes might also help improve security of su_php and other such techniques too but I have only looked at mpm_itk so far.

    The current vhost.conf.master looks like this:
        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
          AssignUserId <tmpl_var name='system_user'> <tmpl_var name='system_group'>
    The issue is the system_user is the same as the file owner.
    So now the code running under apache can write to any file on that site.
    This is not a very secure setup.

    Often hackers gain control by uploading a php script then executing it.
    The default ispconfig setup would allow this if you are using mpm_itk.

    This is nearly perfect:
        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
          AssignUserId www-data <tmpl_var name='system_group'>
    For the following examples assume a site configured like this:
    AssignUserId www-data client12

    I also changed /etc/apache2/envvars
    umask 007
    This ensures that things apache creates will have owner and group rw.

    Apache runs as www-data user and client12 group

    Take a directory that is chmod 750:
    drwxr-x--- 2 web23 client12 4096 Dec 12 18:17 test

    The directory can be read by apache because group client12 has read permissions.
    But apache can not write to that directory.
    No other site's apache process or ssh/ftp users can read this directory.
    That directory is very isolated, only its users and its apache processes can access it.

    If I want to grant apache write permissions chmod 770 works great:
    drwxrwx--- 2 web23 client12 4096 Dec 12 18:17 test

    Now apache, for this site, can read and write to the test directory.
    The only issue is that if apache creates a file it will be owned by www-data user and group which makes it impossible for your customer to log in with FTP/SSH and delete the file.

    We can ensure the group gets set right by making the group sticky:
    chmod g+s test

    Now our test directory looks like this:
    drwxrws--- 2 web23 client12 4096 Dec 12 18:56 test

    apache creates a file and a folder:
    drwxrws--- 3 www-data client12 4096 Dec 12 18:46 test
    -rw-rw---- 1 www-data client12 21 Dec 12 18:46 YourFile.txt

    Perfect, the group has rw permissions on both.
    Now your customer can also remove items created by apache.

    Any chance we can get the vhost.conf.master changed and have ISPConfig also perform the chmod g+s when it creates folders?

    Anyone see a problem with the above setup?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Your setup is nice for websites that are not maintained by the customer, but its not a option for the majority of web hosters. So its unlikely that we will implement such a permission scheme as default as most customers that bought a webspace will report their web as broken if they run a php script and this script cant write to the web folder and also your setup disables the update functions in most cms systems. And running a joomla/wordpress/typo3/Drupal without updates is not a good idea.
  3. e100

    e100 New Member

    You do have a good point, that the current setup is easier for customers.
    I also do not have a problem telling them to chmod the folders that need to be written by apache.

    Are there any changes you would accept that would allow ISPConfig admins to choose a more restricted setup vs the current setup?

    Another method would be to create a 2nd user account for each site that is in the same group, then use that user account in the vhost.conf.master.
        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
          AssignUserId <tmpl_var name='system_user'>[B]_web[/B] <tmpl_var name='system_group'>
    If the 2nd user with "_web" appended was always created, it would cause no harm by those who choose not to use it. For those of us who choose to use it we would only need to edit vhost.conf.master.
    No need to chmod g+s with this approach but how to handle quotas for this additional user is a bit of an issue.

Share This Page