Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-itk On Debian Etch

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 08/13/2008

This article explains how you can install and configure apache2-mpm-itk on a Debian Etch server. apache2-mpm-itk is an MPM (Multi-Processing Module) for the Apache 2 web server. mpm-itk allows you to run each of your vhost under a separate UID and GID - in short, the scripts and configuration files for one vhost no longer have to be readable for all the other vhosts. mpm-itk works with mod_php because mpm-itk is based on the traditional prefork MPM, which means it's non-threaded. This means you don't need to use suExec or suPHP anymore to run a website's PHP scripts as a separate user.

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!

1 Preliminary Note

I'm assuming you have a working Apache2 installation with mod_php on your Debian Etch server.

For speed considerations, take a look at http://blog.stuartherbert.com/php/2008/04/19/using-mpm-itk-to-secure-a-shared-server/.

For security considerations, please visit http://mpm-itk.sesse.net/.

2 Installing apache2-mpm-itk

apache2-mpm-itk is available as a Debian package for Debian Etch, so all we have to do is run

apt-get install apache2-mpm-itk

3 Configuring apache2-mpm-itk

apache2-mpm-itk is configured on a per-vhost basis, i.e., we don't have to set any global options, and there's only one directive we need to set in a vhost, AssignUserId, which takes two parameters, the user name and the group that the vhost will run as.

In this example I will use the default Debian Apache vhost (you can find its configuration in /etc/apache2/sites-available/default) with the document root /var/www (if you have different vhosts, please adjust this to your situation), and I want this vhost to run as the user web1_admin and group web1.

If the user and group don't already exist, we can create them as follows:

groupadd web1
useradd -s /bin/false -d /home/web1_admin -m -g web1 web1_admin

Then we open our vhost configuration and add the following lines to it:

[...]
<IfModule mpm_itk_module>
AssignUserId web1_admin web1
</IfModule>
[...]

For example:

vi /etc/apache2/sites-available/default

NameVirtualHost *
<VirtualHost *>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                RedirectMatch ^/$ /apache2-default/
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

<IfModule mpm_itk_module>
AssignUserId web1_admin web1
</IfModule>
</VirtualHost>

Restart Apache afterwards:

/etc/init.d/apache2 restart

That's it!

4 Links

• apache2-mpm-itk: http://mpm-itk.sesse.net
• Apache: http://httpd.apache.org
• Debian: http://www.debian.org