Question

What is the benefit of using ITK module instead of Suexec running Apache server? The idea is the same, which is to run scripts with owner privileges instead of nobody, www or apache!

Is it better to use ITK in favor of suexec? If so, why? What about security and performance in comparison?

Was it helpful?

Solution

MPM-ITK allows you to run Apache with per-user credentials instead of under the Apache user/group. Suexec runs scripts as CGI under a specific user/group, but the static files served by Apache still need more open permissions to be accessed.

MPM-ITK allows all Apache modules (mod_php, etc) to run under a specific user:group with the static files having the same permissions as the scripts. The main downside is Apache's control process has to run as root (with reduced privileges) so it can switch to any user after the request is parsed. Suexec does not have this security risk, but it is only a solution for script execution (not website content isolation).

Here is a blog post with a good summary regarding MPM-ITK vs Suexec and other solutions. The author accepts the security implications of MPM-ITK with the opinion that it out-weighs the drawbacks of the competing solutions. I do not agree with the author that an Apache exploit is less likely to succeed just because the MPM-ITK patch is in use, so I would recommend staying up to date on your security patches (we should anyway, right?) if you are willing to accept the security risk to get the per-user benefit.

In summary, MPM-ITK vs Suexec is really a per-situation decision. The only solution beyond MPM-ITK is per-user Apache instances behind a reverse proxy, if server resources are not a concern. Read more about that here: http://wiki.apache.org/httpd/ExtendingPrivilegeSeparation

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top