Using mpm-itk To Secure A Shared Server
Posted by Stuart Herbert @ 1:00 PM, Sat 19 Apr 08
Filed under: The Web Platform
Tags: apache, hosting, mpm-itk, php, security, shared servers
20 Comments
The challenge with securing a shared hosting server is how to secure the website from attack both from the outside and from the inside. PHP has built-in features to help, but ultimately it’s the wrong place to address the problem. Apache has built-in features too, but the performance cost of these features is prohibitive.
This has created a gap that a number of third-party solutions have attempted to fill. One solution you may have heard of is mpm-itk, by Steinar H. Gunderson. How well does it work, and how well does it perform?
- mpm-itk: Running Apache As A Specified User
- Installing mpm-itk
- Configuring Apache
- Some Benchmarks
- Other Considerations
- Conclusions
mpm-itk: Running Apache As A Specified User
Like mpm-peruser, mpm-itk is an alternative multi-processing module (MPM) for Apache 2.x. It also allows each website’s PHP scripts to run as a separate user. But the main difference is that it doesn’t maintain separate pools of processes for each user. Instead, after the PHP request has completed, each process is terminated, and new processes must be created to handle new requests.
Until I researched mpm-itk for this article, I didn’t realise that it didn’t recycle processes after each request. This means that there’s no chance at all of it matching mpm-peruser for performance (something I suggested was possible), but that doesn’t mean that mpm-itk is entirely without merit.
Installing mpm-itk
mpm-itk needs to be compiled into your Apache installation. It cannot be loaded as a module.
First of all, download the Apache source code, and then download either the mpm-itk patch for Apache 2.0, or the mpm-itk patch for Apache 2.2. For this article, I’m going to focus on Apache 2.2, but the same instructions should apply for Apache 2.0.
Unpack the Apache source code, apply the mpm-itk patch, and rebuild Apache’s build scripts:
$ mkdir -p /tmp/apache-itk $ cd /tmp/apache-itk $ wget http://www.mirrorservice.org/sites/ftp.apache.org/httpd/httpd-2.2.8.tar.gz $ wget http://mpm-itk.sesse.net/apache2.2-mpm-itk-20080105-00.patch $ tar -zxf httpd-2.2.8.tar.gz $ cd httpd-2.2.8 $ patch -p1 < ../apache2.2-mpm-itk-20080105-00.patch $ autoconf
Then, configure the Apache source code to build with mpm-itk as the chosen MPM. Make sure that you run configure with any other configuration switches that you need:
$ ./configure --with-mpm=itk
After that, compile and install Apache:
$ make ; make install
Configuring Apache
mpm-itk is very easy to configure. For each of your virtual hosts, simply add the AssignUserId entry:
<VirtualHost *:80> ServerName www.example.com ... <IfModule mpm_itk_module> AssignUserId stuart stuart </IfModule> </VirtualHost>
AssignUserId takes two parameters:
- The first parameter is the user ID to run Apache under for this website.
- The second parameter is the group ID to run Apache under for this website.
Remember to restart Apache after adding AssignUserId, and you should be all set.
Some Benchmarks
To benchmark mpm-itk, I used Apache’s ab benchmark to load a simple phpinfo() page 1,000 times. I ran the benchmark five times, and averaged the results.
- mpm-itk: average of 37.01 seconds
- mpm-prefork: average of 6.21 seconds
mpm-itk benchmarks much better than suexec and suphp, but is still quite a bit slower than mpm-peruser.
Other Considerations
It isn’t just about performance. Both suexec and suphp bring limitations to your PHP applications, but mpm-itk does not. Because mpm_itk puts the job of switching users in the right place – at the heart of Apache – it allows your code to run under mod_php. As a result, your code is free to take advantage of any Apache features that aren’t available to PHP/CGI, such as HTTP authentication support.
Another consideration is the impact on RAM and CPU. Whilst you can definitely use mpm-peruser to provide a faster solution, it does involve a lot of effort in tuning the size of the process pools for each of the websites on a shared server. On a shared hosting server, you can’t necessarily find one tuned configuration that always suits demand – and it may not be worth your time to put the effort in anyway. Although mpm-itk is slower, it doesn’t need tuning for each individual website. It’s more of a fire-and-forget solution that might appeal to hosting providers who don’t know (and don’t really need to care) what your customers websites are.
Conclusions
Although it needs to be compiled from source, mpm-itk provides the security of suexec and suphp with much greater performance than either of these solutions. Although it performs worse than mpm-peruser, mpm-itk doesn’t require as much effort to configure and tune for best performance, and its greater simplicity probably makes it better suited to shared hosting servers running a random collection of websites.
mpm-itk is an option that you should seriously consider when designing your shared hosting server solution.
This article is part of The Web Platform, an on-going series of blog posts about the environment that you need to create and nurture to run your web-based application in. If you have any topics that you’d like to see covered in future articles, please leave them in the comments on this page.
20 Comments
April 29th, 2008 at 9:48 pm
[...] Herbert has taken a closer look at apache2-mpm-itk , a patch for the apache2 prefork handler to enable Apache to switch which user [...]
May 13th, 2008 at 2:00 pm
You should really have a look at php with fastcgi as well; it should perform much better than the suexec cgi solution you tried. I’d be interested in the results you get
July 10th, 2008 at 11:20 pm
Is normal this?
root 2743 0.8 3.7 23480 9712 ? Ss 23:18 0:00 /usr/sbin/apache2 -k start
www-data 2744 0.0 1.2 19432 3108 ? S 23:18 0:00 \_ /usr/sbin/apache2 -k start
root 2749 0.0 1.9 23480 4992 ? S 23:18 0:00 \_ /usr/sbin/apache2 -k start
root 2750 0.0 1.9 23480 4992 ? S 23:18 0:00 \_ /usr/sbin/apache2 -k start
root 2751 0.0 1.9 23480 4992 ? S 23:18 0:00 \_ /usr/sbin/apache2 -k start
root 2752 0.0 1.9 23480 4992 ? S 23:18 0:00 \_ /usr/sbin/apache2 -k start
root 2753 0.0 1.9 23480 4992 ? S 23:18 0:00 \_ /usr/sbin/apache2 -k start
July 12th, 2008 at 4:55 pm
[...] Stuart Herbert discussion of the pros and cons of different solutions to this problem and his evaluation of mpm-itk i decided to look into it further.On nice solution that has been developed is mpm-peruser but that [...]
July 13th, 2008 at 10:50 am
[...] suphp比suexec(就是原来dv3.0升php5的方法)要快一点;比suphp更快的还有suphp_mod_php;再快一些的是mpm-peruser,不过安装配置的麻烦程度也随之递增。 [...]
August 19th, 2008 at 8:26 am
[...] For speed considerations, take a look at http://blog.stuartherbert.com/php/2008/04/19/using-mpm-itk-to-secure-a-shared-server/. [...]
November 18th, 2008 at 1:52 pm
Good article – would be even better with a PRINT VIEW of this article!
March 13th, 2009 at 12:48 am
[...] dość teorii, oto linki w których możecie poczytać jak konfigurować zarówno itk jak i peruser i przejdźmy już do [...]
April 6th, 2009 at 8:01 pm
[...] searching for how I could secure my web server environment I came across this wonderful post. I was already used suPHP. Replacing it with mpm-itk was very simple since mpm-itk were already in [...]
April 11th, 2009 at 6:41 pm
ok, guys, read this: if you try mpm_itk on debian, you will run into trouble with mod_cgid – this is what debian defaults to install, but this will not run with mpm_itk, so you need to replace it with mod_cgi – without the trailing d! As a cherry on top of this debian maintainers built a nice script a2enmod and a2dismod, which will not behave like expected – when used like “a2endmod cgi” it will reinstall mod_cgid – not mod_cgi. So you have to replace the links in /etc/apache/mods-enabled manually. Good Look!
May 19th, 2009 at 5:10 pm
Hi,
When people come in to my vhost, they are web_guest (thanks to mpm-itk)
When user logs in he must be : Stuart
so i need to be able to change this from my php-application
So my vhost directive has to change only for the logged in user Stuart (remain the same for the rest)
From:
AssignUserId guest_userguest_group
To:
AssignUserId Stuart user_group
I’d appreciate if you could give some directions…
Thanks,
D
May 20th, 2009 at 8:12 am
@devrim I don’t think mpm-itk is the right solution for your problem. mpm-itk can control the Linux user that Apache runs as, but it can’t help you manage users within your PHP application.
June 23rd, 2009 at 10:42 am
Not so much a good solution for Cpanel. I gave it a shot. Worked great till i went to login cpanel. Returned internal server error 500. becaue the user cpanel logs in as nobody and the user isn’t allowed.
Also saw that no one could access the /tmp folder using sessions
June 23rd, 2009 at 12:52 pm
@ant: anything that relies on the user ‘nobody’ is fundamentally broken. ‘nobody’ is the user that the root user gets mapped to in more secure NFS environments.
You shouldn’t put sessions in /tmp, but if /tmp is setup correctly, there should be no reason why mpm-itk can’t access sessions stored in there.
June 27th, 2009 at 12:17 am
Awesome group of articles Stuart. Had a couple of questions that I would love your input on
1) mpm-itk should be compatible with opcode cachers like APC right?
2) Have you tried php-fpm? From what I have read looks like it offers the same ability as suphp and doesnt take the performance hit (not sure if its faster than mpm-itk)
June 30th, 2009 at 12:27 am
[...] For speed considerations, take a look at http://blog.stuartherbert.com/php/2008/04/19/using-mpm-itk-to-secure-a-shared-server/. [...]
July 17th, 2009 at 1:37 am
[quote]As a result, your code is free to take advantage of any Apache features that aren’t available to PHP/CGI, such as HTTP authentication support.[/quote]
Well, there are ways to, at least, support HTTP auth within PHP with a little trick – Apaches RewriteMap is the key.
For a detailled explanation (sorry, available in German only) see the following forum topic: http://forum.webhostlist.de/forum/webserver-software-linux-unix-etc/102327-howto-php_auth_user-_pw-fuer-php-cgi.html
August 10th, 2009 at 2:46 pm
This is a great blog! After several pages I’m trying to combine mpm-itk with mod-fcgid on Ubuntu (Hardy). The reason is that I would like to use mpm-itk combined the ability to use per-user php.ini files. Unfortunately I’m out of luck, as soon as I use AssignUserId I get these errors in Apache’s error log:
[emerg] (13)Permission denied: mod_fcgid: can’t get lock, pid: 9319
Is it possible at all to combine mpm-itk with mod-fcgid? Or is there a better way to use per-user (per VirtualHost) php.ini files together with mpm-itk?
Right now I’m using suPHP but when the server is busy this just eats my CPU.
September 2nd, 2009 at 3:55 pm
[...] Prozess, unter diesem Benutzer ausgeführt. Einen schönen einführenden Artikel zu Apache ITK hat Stuart Herbert in seinem Blog geschrieben. AssignUserID user [...]
November 24th, 2009 at 3:07 pm
Got mpm-itk working with Apache 2.2.14 on cPanel using the “series” of patches, not the monolithic one.
Everything works well, but just a quick warning: eAccelerator doesn’t work properly and will eat through gigs of RAM in a mere few minutes (not a problem when prefork is in use).
Haven’t tried xcache or APC yet.
Add Your Comments To This Article Using The Form Below
Your comments may not appear until they have been approved by a moderator.