Skip to main content

mpm_itk warning

ThinIce
In the easy apache 4 docs at Apache Module: MPM ITK - EasyApache 4 - cPanel Documentation you state: Warning: We strongly recommend that you only install the MPM ITK Apache module on a system that runs CentOS 7 with Secure Computing Mode (seccomp v2) enabled in the kernel. The MPM ITK Apache module will run on CentOS 6, but will not be as secure.
If you have some time, could you perhaps expand upon this a little for us (in terms of technical detail)? many thanks

Comments

3 comments

Date Votes
  • cPanelMichael
    Hello, Technical information about that advice is available at: apache2-mpm-itk In particular, these two paragraphs relate to that warning message in our documentation: Since mpm-itk has to be able to setuid(), it runs as root (although restricted with POSIX capabilities and seccomp v2 where possible) until the request is parsed and the vhost determined. This means that any code execution hole before the request is parsed will be a potential root security hole. (The most likely place is probably in mod_ssl.) This is not likely to change in the near future, as socket passing, the most likely alternative solution, is very hard to get to work properly in a number of common use cases (e.g. SSL).
    LimitUIDRange, LimitGIDRange (Apache 2.4 or newer only): Restrict setuid() and setgid() calls to a given range (e.g. "LimitUIDRange 1000 2000" to allow only uids from 1000 to 2000, inclusive), possibly increasing security somewhat. Note that this requires seccomp v2 (Linux 3.5.0 or newer). Also, due to technical reasons, setgroups() is not restricted, so a rogue process can still get any group it might want. Still, performing a successful attack will be somewhat trickier than otherwise.
    Thanks!
    0
  • ThinIce
    Thanks :) Out of interest with regards the first paragraph, is the same basic issue the case with mod_ruid2?
    0
  • cPanelMichael
    Thanks :) Out of interest with regards the first paragraph, is the same basic issue the case with mod_ruid2?

    For the most part, yes. It's better to use a filesystem solution such as CageFS or to use Mod_Ruid2 with jailshell, as documented at: Symlink Race Condition Protection - EasyApache - cPanel Documentation Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post