Tuesday, April 20, 2010

Increase Apache Vhost Security With mpm-itk

Introduction

mpm-itk is an MPM (Multi-Processing Module) for the Apache web server.

mpm-itk allows you to run each of your vhost under a separate uid and gid — in short, the scripts and configuration files for one vhost no longer have to be readable for all the other vhosts.

There are already MPMs available that do this. For example suexec (works only with CGI scripts) and mod_suphp (works only with PHP scripts).

mpm-itk is based on the traditional prefork MPM, which means it's non-threaded; in short, this means you can run non-thread-aware code (like many PHP extensions) without problems. On the other hand, you lose out to any performance benefit you'd get with threads, of course; you'd have to decide for yourself if that's worth it or not. You will also take an additional performance hit over prefork, since there's an extra fork per request.

Installation

Download httpd-*src.rpm from Red Hat FTP server, apply patches, rebuild and install RPM package:

  1. httpd.spec
  2. httpd.spec.diff
  3. apache2.2-mpm-itk-20090414-00.patch
  4. httpd-2.2.3-itk_ap_get_server_description.patch

Or install httpd from lystor's RHEL Repository.

Configuration

  1. Change /etc/sysconfig/httpd:
    HTTPD=/usr/sbin/httpd.itk
  2. Virtual hosts configuration:
    mpm-itk is very easy to configure. For each of your virtual hosts, simply add the AssignUserId entry.
    <virtualhost *:80>
ServerName www.example.com
...
AssignUserId user1 group1
</VirtualHost>
    AssignUserId takes two parameters, uid and gid (or really, user name and group name).
  3. Set highly secured permissions for vhost:
    # chown -R user1:group1 www.example.com
# find www.example.com -type d -exec chmod 750 {} \;
# find www.example.com -type f -exec chmod 640 {} \;
  4. Add to apache configuration file /etc/httpd/conf.d/php.conf next line:
    LoadModule php5_module modules/libphp5.so
  5. Restart Apache.

Testing

  1. PHP testing script:
    <?php system("id"); ?>
  2. Script output without mpm-itk:
    uid=48(apache) gid=48(apache) groups=48(apache)
  3. Script output with mpm-itk:
    uid=507(user1) gid=1500(group1) groups=1500(group1)
Posted by lystor at 9:13 PM
Labels: , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)