mpm-itk on CentOS 5.5 – run Apache virtual hosts as different users

mpm-itk is a fork of mpm-prefork (ironically in both process and project sense), which allows you to configure individual Apache vhosts to run as specified users and groups. This makes it extremely secure if used in a shared hosting environment.

I have provided a CentOS RPM for this in the Webtatic yum repository. This should work with your existing httpd installation, as it is installed as a separate mpm to be selected just as the worker or event mpms can.

To install, first add the Webtatic repository to your Yum configuration:

rpm -Uvh http://mirror.webtatic.com/yum/centos/5/latest.rpm

Then install the package:

yum install --enablerepo=webtatic httpd-itk

Next, if you are currently running httpd, stop it, as the switch is done in the httpd control scripts.

service httpd stop

Then edit /etc/sysconfig/httpd and add the following line:

HTTPD=/usr/sbin/httpd.itk

Next you can add users and groups for your vhosts and configure httpd’s vhosts to use them:

...
<VirtualHost *:80>
    ServerName example.com
    DocumentRoot /path/to/web/root
 
    AssignUserId vhost-user vhost-group
</VirtualHost>
...

And then start up your Apache httpd:

service httpd start

The fun doesn’t stop there, however. You must configure websites to only be accessible to these linux users, and not to others. This can typically be done by setting the website’s root to be owned by the user, the group set to the vhost’s group, and turning off world read/write/execute, e.g.:

chown owner-user:vhost-group /path/to/webroot
chmod o-rwx /path/to/webroot
 
ls -ald /path/to/webroot
# drwxr-x--- 20 owner-user vhost-group 4096 Apr  5 19:38 /path/to/webroot

Now the only users able to access the webroot are the super user, owner-user, and any users in vhost-group. As the web server will be setuid’d to vhost-user/vhost-group it will be able to read files in the web root.

The reason I didn’t change the user of the directory to vhost-user is that it would give the httpd process write access, which you still should take care of, as if there are vulnerabilities in the user’s code, the files could be hacked.

VirtualHost security

mpm-prefork (and most of the other stable MPMs) runs under a single user and group. In a shared hosting environment using these processing models, every script that is run essentially has read access to every other vhost’s scripts, which is a frightening prospect as they can easily be compromised giving an attacker the full source to a website. Database passwords can be read, leading to additional private data being accessible.

There are methods to secure shared hosting, as detailed in my blog post “Techniques for creating a secure shared web server”. However they tend to decrease performance or don’t have total protection.

mpm-itk

mpm-itk is an alternative which runs the prefork model as root, giving it setuid capabilities. Each time a request is established, a preforked httpd process forks itself and setuid’s to the vhost’s defined user/group (or the default if unspecified). When the request is complete, the fork is terminated, allowing the parent to fork again on a later request.

The reason for this is that only the super user can setuid, and once done a process cannot go back to the super user’s context. Forking a process is extremely cheap on resources, so mpm-itk should not lose much in performance when compared to mpm-prefork.

Yes, there is a point where if there is a vulnerability an attacker might gain root permissions, specifically in between the established connection and the setuid, however as the project’s author mentions, this would only really happen if mod_ssl had a vulnerability.

Leave a Reply

Your email address will not be published. Required fields are marked *