mpm_itk warning

ThinIce · Aug 17, 2016

In the easy apache 4 docs at Apache Module: MPM ITK - EasyApache 4 - cPanel Documentation you state:

Warning:

We strongly recommend that you only install the MPM ITK Apache module on a system that runs CentOS 7 with Secure Computing Mode (seccomp v2) enabled in the kernel. The MPM ITK Apache module will run on CentOS 6, but will not be as secure.
Click to expand...

If you have some time, could you perhaps expand upon this a little for us (in terms of technical detail)?

many thanks

cPanelMichael · Aug 17, 2016

Hello,

Technical information about that advice is available at:

apache2-mpm-itk

In particular, these two paragraphs relate to that warning message in our documentation:

Since mpm-itk has to be able to setuid(), it runs as root (although restricted with POSIX capabilities and seccomp v2 where possible) until the request is parsed and the vhost determined. This means that any code execution hole before the request is parsed will be a potential root security hole. (The most likely place is probably in mod_ssl.) This is not likely to change in the near future, as socket passing, the most likely alternative solution, is very hard to get to work properly in a number of common use cases (e.g. SSL).
Click to expand...

LimitUIDRange, LimitGIDRange (Apache 2.4 or newer only): Restrict setuid() and setgid() calls to a given range (e.g. “LimitUIDRange 1000 2000" to allow only uids from 1000 to 2000, inclusive), possibly increasing security somewhat. Note that this requires seccomp v2 (Linux 3.5.0 or newer). Also, due to technical reasons, setgroups() is not restricted, so a rogue process can still get any group it might want. Still, performing a successful attack will be somewhat trickier than otherwise.
Click to expand...

Thanks!

ThinIce · Aug 17, 2016

Thanks Out of interest with regards the first paragraph, is the same basic issue the case with mod_ruid2?

cPanelMichael · Aug 19, 2016

ThinIce said: ↑

Thanks Out of interest with regards the first paragraph, is the same basic issue the case with mod_ruid2?
Click to expand...

For the most part, yes. It's better to use a filesystem solution such as CageFS or to use Mod_Ruid2 with jailshell, as documented at:

Symlink Race Condition Protection - EasyApache - cPanel Documentation

Thank you.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

mpm_itk warning

ThinIce Well-Known Member

cPanelMichael Forums Analyst
Staff Member

ThinIce Well-Known Member

cPanelMichael Forums Analyst
Staff Member

/usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings

Remote Root Account Transfer had warnings

Error loading module Rvskinwarning

AutoSSL warning

SOLVED Warning about Unresolved IP addresses

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

mpm_itk warning

ThinIce Well-Known Member

cPanelMichael Forums Analyst Staff Member

ThinIce Well-Known Member

cPanelMichael Forums Analyst Staff Member

/usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings

Remote Root Account Transfer had warnings

Error loading module Rvskinwarning

AutoSSL warning

SOLVED Warning about Unresolved IP addresses

Share This Page

cPanelMichael Forums Analyst
Staff Member

cPanelMichael Forums Analyst
Staff Member