mpm-itk install/config (will make howto)

Hi,
We installed mpm-itk. We considered suPHP some time ago, but the side affects, much slower than mod_php and .htaccess flags (php_flags) should go into own php.ini files which will allow more changes, besides that, chmod's of 777 will not work anymore and that will trigger more support issues. Than we came across mod_ruid2 and mpm-itk. Both look great but mod_ruid2 doesn't seem to build very well on FreeBSD, so mpm-itk is the way to go for us. I've read alot of other opinions and nobody seems to share the same ideas This isn't the topic to discuss our choice for mpm-itk.

On one of our test servers we accomplished a successful installation within a few minutes. I tested itk by changing a virtual host file with AssignUser added and it works! But there are some issues during our tests.

1. In all our public_html directories there's a symlink awstats pointing to ../awstats. The awstats directory is owned by the user, so it shouldn't be a problem, but it looks like cgi scripts can't be ran with itk, therefore a suexecusergroup option is in de vhost. I think this is overwritten by itk and thereafter cgi scripts won't work.

2. We use aliases like /webmail, /roundcube, /squirrelmail and some others. Within these directories itk is doing it's job and therefore webmail doesn't work.

I added this to the end of the vhost:

I managed to solve one of above issues by moving the new options into the directory directive, like this:

Because the assinguserid only applies on /home/<user>/domains/<domain>/public_html directory and it's sub's, the webmail on other locations isn't touched by this setting.
AWstats still doesn't work, because the symlink resides in public_html.

What is the way to go to solve these issues, do the ones using mpm-itk face the same issues? Or did they solve them already? And how? AFAIK it's not possible to exclude extensions from directive, so we could specify that the assignuserid doesn't apply on .cgi .pl and .py files for example. You could match extensions with <FilesMatch>, but there no exclude parameter like ! afaik.

If you have any suggestions, please let me know. When everything works fine and I've did some additional tests I will post a howto. If you feel that assignuserid doesn't belong within the <directoy> directive, I really want to know, I couldn't find anything about it and it seems to solve some issues.

it looks like cgi scripts can't be ran with itk

Click to expand...

And what error do you get? What is there in Apache logs?

Did you try to remove suexecusergroup option?

Hi Alex,
Thanks, you're right.
When attempting to load http://domain.com/awstats an internal server error occurred, before mpm-itk this worked without problems.
When I put the assignuserid directive outside the <directory> directives, just before </virtualhost> and comment "suexecusergroup user group", it works!

Are you running mpm-itk this way? Without suexecusergroup? Isn't that a security issue? I know suexec takes care of running cgi scripts as the user and now mpm-itk will do that job, but isn't suexecusergroup more secure for whatever reason?

You're using mpm-itk yourself, right? Are you happy with it? No issues I need to take care of? And how did you manage to get webmail to work running under the user? Like http://domain.com/webmail is an alias and shows the content of /var/www/html/roundcubemail-x.x.x
Custombuild manages the permission settings, anyway of manipulating it in a secure and steady way?

Thanks again!

Hello,

I did spend some time researching the best solution for our needs. I did really try mpm-itk, but I did manage to install it only on a FreeBSD box, and I failed to install it on CentOS. And we still use mod_suphp with individual PHP.INI and other features.

Anyway I know for sure, that suexec can not be used with mod_ruid2 or with mpm-itk, either suphp can not be used alongside mod_ruid2 and mpm-itk. Because they are designed to do the same things. Since with mpm-itk all request are served with the user's privileges, you don't need suexec anymore (that includes CGI scripts). But you can still use Suexec with suPHP or with mod_php.

As for webmail/phpmyadmin (http://domain.com/webmail) you might want to try to assign user ID directive for /var/www/html/, try user webapps.

Thanks. I'm ashamed I didn't think of that myself
Well, with your help cgi scripts work with mpm-itk by removing suexecusergroup. And now webmail/phpmyadmin work by setting webapps user/group in /etc/httpd/conf/httpd.conf for /var/www/html.

Do you know if /etc/httpd/conf/httpd.conf will be overwritten at some time by DirectAdmin? I didn't think so, but if I'm going to write a how-to and say they need to change that file, I need to be sure if changes reside in that file.

Thanks again, I think everything is fine now. I'm starting a test on another server within a few days and then start in production for 1 server. If all these tests are successful I'm going to write the how-to, off course with special thanks to you

See http://directadmin.com/forum/showthread.php?p=206715

You'd better use /etc/httpd/conf/extra/httpd-includes.conf to include your customized configs. It won't get rewritten in any way with custombuild.

Or chflags /etc/httpd/conf/httpd.conf

Hi,

I'm looking to implement MPM-ITK on our FreeBSD hosting servers to. Have you made any kernel/OS modifications to prevent privileges escalation when there's a bug in mod_openssl for example?

I'm looking for MAC, but it's quite hard to implement.

Have you made any kernel/OS modifications to prevent privileges escalation when there's a bug in mod_openssl for example?

Click to expand...

No, I have not. Should I?

I'm not telling you that you should. But I think you should be aware of the risks to make the right decisions. From the MPM-ITK's site:

Since mpm-itk has to be able to setuid(), it runs as root (although restricted with POSIX capabilities where possible) until the request is parsed and the vhost determined. This means that any security hole before the request is parsed will be a root security hole. (The most likely place is probably in mod_ssl.) This is not going to change in the near future, as the most likely alternative solution (socket passing and its variants) is very hard to get to work properly in a number of common use cases, like SSL.

That's OK. For now I mostly use suPHP and then secondly mod_ruid2. I've failed with MPM-ITK installation on CentOS those times when I tried some years ago. Since then I've been using it only on one FreeBSD box, and none virtualhost is using SSL there. So for me there is nothing to worry about the issue. Nevertheless it would be nice if you share your findings and solution on the subject.