mpm_itk warning

T

ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
In the easy apache 4 docs at Apache Module: MPM ITK - EasyApache 4 - cPanel Documentation you state:

Warning:

We strongly recommend that you only install the MPM ITK Apache module on a system that runs CentOS 7 with Secure Computing Mode (seccomp v2) enabled in the kernel. The MPM ITK Apache module will run on CentOS 6, but will not be as secure.
Click to expand...
If you have some time, could you perhaps expand upon this a little for us (in terms of technical detail)?

many thanks
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

Technical information about that advice is available at:

apache2-mpm-itk

In particular, these two paragraphs relate to that warning message in our documentation:

Since mpm-itk has to be able to setuid(), it runs as root (although restricted with POSIX capabilities and seccomp v2 where possible) until the request is parsed and the vhost determined. This means that any code execution hole before the request is parsed will be a potential root security hole. (The most likely place is probably in mod_ssl.) This is not likely to change in the near future, as socket passing, the most likely alternative solution, is very hard to get to work properly in a number of common use cases (e.g. SSL).
Click to expand...
LimitUIDRange, LimitGIDRange (Apache 2.4 or newer only): Restrict setuid() and setgid() calls to a given range (e.g. “LimitUIDRange 1000 2000" to allow only uids from 1000 to 2000, inclusive), possibly increasing security somewhat. Note that this requires seccomp v2 (Linux 3.5.0 or newer). Also, due to technical reasons, setgroups() is not restricted, so a rogue process can still get any group it might want. Still, performing a successful attack will be somewhat trickier than otherwise.
Click to expand...
Thanks!
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
000 some danger/warning if we upgrade (FROM cPanel 94) MySQL to version 8? Web Servers and Applications 6
M [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd Web Servers and Applications 8
nisamudeen97 Image upload warning problem with php7.3 Web Servers and Applications 4
A PHP Warning: Module 'memcached' already loaded in Unknown on line 0 Web Servers and Applications 8
A httpd stopping with no space warning but disks are half empty Web Servers and Applications 2
Similar threads
some danger/warning if we upgrade (FROM cPanel 94) MySQL to version 8?
[WARNING] Authentication failed for user [__cpanel__service__auth__ftpd
Image upload warning problem with php7.3
PHP Warning: Module 'memcached' already loaded in Unknown on line 0
httpd stopping with no space warning but disks are half empty
Top Bottom