ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
In the easy apache 4 docs at Apache Module: MPM ITK - EasyApache 4 - cPanel Documentation you state:

Warning:

We strongly recommend that you only install the MPM ITK Apache module on a system that runs CentOS 7 with Secure Computing Mode (seccomp v2) enabled in the kernel. The MPM ITK Apache module will run on CentOS 6, but will not be as secure.
If you have some time, could you perhaps expand upon this a little for us (in terms of technical detail)?

many thanks
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

Technical information about that advice is available at:

apache2-mpm-itk

In particular, these two paragraphs relate to that warning message in our documentation:

Since mpm-itk has to be able to setuid(), it runs as root (although restricted with POSIX capabilities and seccomp v2 where possible) until the request is parsed and the vhost determined. This means that any code execution hole before the request is parsed will be a potential root security hole. (The most likely place is probably in mod_ssl.) This is not likely to change in the near future, as socket passing, the most likely alternative solution, is very hard to get to work properly in a number of common use cases (e.g. SSL).
LimitUIDRange, LimitGIDRange (Apache 2.4 or newer only): Restrict setuid() and setgid() calls to a given range (e.g. “LimitUIDRange 1000 2000" to allow only uids from 1000 to 2000, inclusive), possibly increasing security somewhat. Note that this requires seccomp v2 (Linux 3.5.0 or newer). Also, due to technical reasons, setgroups() is not restricted, so a rogue process can still get any group it might want. Still, performing a successful attack will be somewhat trickier than otherwise.
Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463