Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-peruser On Debian Etch - Page 2

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.

Submitted by falko (Contact Author) (Forums) on Thu, 2008-08-21 17:44. ::

3 Configuring apache2-mpm-peruser

In this example I will use the default Debian Apache vhost (you can find its configuration in /etc/apache2/sites-available/default) with the document root /var/www (if you have different vhosts, please adjust this to your situation), and I want this vhost to run as the user web1_admin and group web1.

If the user and group don't already exist, we can create them as follows:

groupadd web1
useradd -s /bin/false -d /home/web1_admin -m -g web1 web1_admin

Now we open the main Apache configuration (/etc/apache2/apache2.conf) and search for the section where the various MPMs (prefork, worker, etc.) are configured, and add something like this to it:

vi /etc/apache2/apache2.conf

[...]
<IfModule peruser.c>
ServerLimit 256
MaxClients 256
MinSpareProcessors 2
MaxProcessors 10
MaxRequestsPerChild 1000
# kill idle processors after this many seconds (0 to disable)
IdleTimeout 60
# kill hung processes after this many seconds (0 to disable)
ExpireTimeout 300
# set up a few multiplexer processes running as nobody
Multiplexer nobody nogroup
Multiplexer nobody nogroup
Multiplexer nobody nogroup
# Processor <user> <group> <chroot>
# chroot is optional
Processor web1_admin web1
</IfModule>
[...]

The Processor line is important - it tells Apache which user/group pair is allowed to run a vhost. If you have a second vhost that you want to run as user web2_admin and group web2, just add a second Processor line. You can even chroot the user/group by adding an optional directory:

[...]
Processor web1_admin web1 /var/www
[...]

We must also modify our vhosts, e.g. like this:

vi /etc/apache2/sites-available/default

[...]
<IfModule peruser.c>
# this must match a Processor line
ServerEnvironment web1_admin web1
# these are optional - defaults to the values specified above
#MinSpareProcessors 4
#MaxProcessors 20
</IfModule>
[...]

This must be in a <VirtualHost></VirtualHost> container. The ServerEnvironment line must match exactly one of the Processor lines from the mpm-peruser configuration (if you have defined a chroot in the Processor line, you must list the chroot here as well, e.g.:

[...]
ServerEnvironment web1_admin web1 /var/www
[...]

). This defines under which user and group this specific vhost is running.

Restart Apache afterwards:

/etc/init.d/apache2 restart

4 Rebuilding libapache2-mod-php5

Now let's rebuild libapache2-mod-php5. First we install a few prerequisites:

apt-get install apache-dev bison chrpath firebird2-dev flex freetds-dev libbz2-dev libc-client-dev libcurl3-openssl-dev libfreetype6-dev libgcrypt11-dev libgd2-xpm-dev libjpeg62-dev libmcrypt-dev libmhash-dev libmysqlclient15-dev libncurses5-dev libpam0g-dev libpng12-dev libpspell-dev librecode-dev libsnmp9-dev libsqlite0-dev libt1-dev libtidy-dev libwrap0-dev libxmltok1-dev libxml2-dev libxslt1-dev re2c unixodbc-dev automake1.4 libtool shtool

Then we get the PHP5 source package...

cd /usr/src
apt-get source php5

... and go to the source directory:

cd php5-5.2.0

Now we must tell PHP5 that it accepts either apache2-mpm-prefork or apache2-mpm-itk or apache2-mpm-peruser as a dependency. Open debian/rules:

vi debian/rules

Towards the end of the file you will find this line:

[...]
echo "apache2:Depends=apache2-mpm-prefork (>> 2.0.52) | apache2-mpm-itk, apache2.2-common" >>debian/libapache2-mod-php5.substvars
[...]

Change it to:

[...]
echo "apache2:Depends=apache2-mpm-prefork (>> 2.0.52) | apache2-mpm-itk | apache2-mpm-peruser, apache2.2-common" >>debian/libapache2-mod-php5.substvars
[...]

Then run

dpkg-buildpackage

to rebuild the PHP5 packages.

Let's check next what we've got now:

cd /usr/src
ls -l

server1:/usr/src# ls -l
total 28940
-rw-r--r--  1 root src    11392 2007-10-03 19:02 apache2-mpm-itk_2.2.3-01-2.diff.gz
-rw-r--r--  1 root src      664 2007-10-03 19:02 apache2-mpm-itk_2.2.3-01-2.dsc
-rw-r--r--  1 root src    29071 2006-10-31 00:04 apache2-mpm-itk_2.2.3-01.orig.tar.gz
drwxr-xr-x  5 root root    4096 2008-08-16 13:40 apache2-mpm-peruser-2.2.3-01
-rw-r--r--  1 root src      353 2008-08-16 13:36 apache2-mpm-peruser_2.2.3-01-1.dsc
-rw-r--r--  1 root src      710 2008-08-16 13:40 apache2-mpm-peruser_2.2.3-01-1_i386.changes
-rw-r--r--  1 root src   165438 2008-08-16 13:40 apache2-mpm-peruser_2.2.3-01-1_i386.deb
-rw-r--r--  1 root src    50282 2008-08-16 13:36 apache2-mpm-peruser_2.2.3-01-1.tar.gz
-rw-r--r--  1 root root 6364431 2008-03-22 10:35 apache2.tar.gz
-rw-r--r--  1 root src  2413278 2008-08-16 14:30 libapache2-mod-php5_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src  2412784 2008-08-16 14:30 libapache-mod-php5_5.2.0-8+etch11_i386.deb
drwxr-xr-x 20 root root    4096 2008-08-16 14:29 php5-5.2.0
-rw-r--r--  1 root src     1040 2008-08-16 14:30 php5_5.2.0-8+etch11_all.deb
-rw-r--r--  1 root src   914599 2008-08-16 13:55 php5_5.2.0-8+etch11.diff.gz
-rw-r--r--  1 root src     1741 2008-08-16 13:55 php5_5.2.0-8+etch11.dsc
-rw-r--r--  1 root src     4768 2008-08-16 14:30 php5_5.2.0-8+etch11_i386.changes
-rw-r--r--  1 root src  8583491 2006-11-07 13:34 php5_5.2.0.orig.tar.gz
-rw-r--r--  1 root src  4757790 2008-08-16 14:30 php5-cgi_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src  2397698 2008-08-16 14:30 php5-cli_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src   215284 2008-08-16 14:30 php5-common_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    24478 2008-08-16 14:30 php5-curl_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src   344780 2008-08-16 14:30 php5-dev_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    33426 2008-08-16 14:30 php5-gd_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    34508 2008-08-16 14:30 php5-imap_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    44362 2008-08-16 14:30 php5-interbase_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    17250 2008-08-16 14:30 php5-ldap_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    12844 2008-08-16 14:30 php5-mcrypt_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src     5052 2008-08-16 14:30 php5-mhash_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    64620 2008-08-16 14:30 php5-mysql_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    34060 2008-08-16 14:30 php5-odbc_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    50482 2008-08-16 14:30 php5-pgsql_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src     8632 2008-08-16 14:30 php5-pspell_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src     4774 2008-08-16 14:30 php5-recode_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    11308 2008-08-16 14:30 php5-snmp_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    34160 2008-08-16 14:30 php5-sqlite_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    18414 2008-08-16 14:30 php5-sybase_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    16482 2008-08-16 14:30 php5-tidy_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    36458 2008-08-16 14:30 php5-xmlrpc_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    12258 2008-08-16 14:30 php5-xsl_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src   311360 2008-08-16 14:30 php-pear_5.2.0-8+etch11_all.deb
server1:/usr/src#

We can install the new PHP5 packages as follows:

dpkg -i php5*.deb
dpkg -i libapache2-mod-php5_5.2.0-8+etch11_i386.deb

This time will not complain about the missing apache2-mpm-prefork package because apach2-mpm-peruser is installed which is enough for the new package.

All that is left to do is enable the PHP5 module and restart Apache:

a2enmod php5
/etc/init.d/apache2 restart

Now open the phpinfo(); page again in a browser - it should now show peruser instead of prefork in the Loaded Modules row under apache2handler: