Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-itk On Debian Etch

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Thu, 2008-08-14 10:40. :: Debian | Apache

Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-itk On Debian Etch

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 08/13/2008

This article explains how you can install and configure apache2-mpm-itk on a Debian Etch server. apache2-mpm-itk is an MPM (Multi-Processing Module) for the Apache 2 web server. mpm-itk allows you to run each of your vhost under a separate UID and GID - in short, the scripts and configuration files for one vhost no longer have to be readable for all the other vhosts. mpm-itk works with mod_php because mpm-itk is based on the traditional prefork MPM, which means it's non-threaded. This means you don't need to use suExec or suPHP anymore to run a website's PHP scripts as a separate user.

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I'm assuming you have a working Apache2 installation with mod_php on your Debian Etch server.

For speed considerations, take a look at http://blog.stuartherbert.com/php/2008/04/19/using-mpm-itk-to-secure-a-shared-server/.

For security considerations, please visit http://mpm-itk.sesse.net/.

 

2 Installing apache2-mpm-itk

apache2-mpm-itk is available as a Debian package for Debian Etch, so all we have to do is run

apt-get install apache2-mpm-itk

 

3 Configuring apache2-mpm-itk

apache2-mpm-itk is configured on a per-vhost basis, i.e., we don't have to set any global options, and there's only one directive we need to set in a vhost, AssignUserId, which takes two parameters, the user name and the group that the vhost will run as.

In this example I will use the default Debian Apache vhost (you can find its configuration in /etc/apache2/sites-available/default) with the document root /var/www (if you have different vhosts, please adjust this to your situation), and I want this vhost to run as the user web1_admin and group web1.

If the user and group don't already exist, we can create them as follows:

groupadd web1
useradd -s /bin/false -d /home/web1_admin -m -g web1 web1_admin

Then we open our vhost configuration and add the following lines to it:

[...]
<IfModule mpm_itk_module>
AssignUserId web1_admin web1
</IfModule>
[...]

For example:

vi /etc/apache2/sites-available/default

NameVirtualHost *
<VirtualHost *>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                RedirectMatch ^/$ /apache2-default/
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

<IfModule mpm_itk_module>
AssignUserId web1_admin web1
</IfModule>
</VirtualHost>

Restart Apache afterwards:

/etc/init.d/apache2 restart

That's it!

 

4 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by AllanJ (registered user) on Sat, 2008-08-16 11:08.

Are there any plans to include this in ISPconfig ?

 Best regards

 Allan Jacobsen

Submitted by jwarnier (registered user) on Mon, 2010-08-09 09:38.

It has been done in ISPconfig 3.

Also, this howto should also work for Debian GNU/Linux Lenny.