Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-itk On Debian Etch

Version 1.0
Author: Falko Timme
Last edited 08/13/2008

This article explains how you can install and configure apache2-mpm-itk on a Debian Etch server. apache2-mpm-itk is an MPM (Multi-Processing Module) for the Apache 2 web server. mpm-itk allows you to run each of your vhost under a separate UID and GID - in short, the scripts and configuration files for one vhost no longer have to be readable for all the other vhosts. mpm-itk works with mod_php because mpm-itk is based on the traditional prefork MPM, which means it's non-threaded. This means you don't need to use suExec or suPHP anymore to run a website's PHP scripts as a separate user.

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!


1 Preliminary Note

I'm assuming you have a working Apache2 installation with mod_php on your Debian Etch server.

For speed considerations, take a look at

For security considerations, please visit


2 Installing apache2-mpm-itk

apache2-mpm-itk is available as a Debian package for Debian Etch, so all we have to do is run

apt-get install apache2-mpm-itk


3 Configuring apache2-mpm-itk

apache2-mpm-itk is configured on a per-vhost basis, i.e., we don't have to set any global options, and there's only one directive we need to set in a vhost, AssignUserId, which takes two parameters, the user name and the group that the vhost will run as.

In this example I will use the default Debian Apache vhost (you can find its configuration in /etc/apache2/sites-available/default) with the document root /var/www (if you have different vhosts, please adjust this to your situation), and I want this vhost to run as the user web1_admin and group web1.

If the user and group don't already exist, we can create them as follows:

groupadd web1
useradd -s /bin/false -d /home/web1_admin -m -g web1 web1_admin

Then we open our vhost configuration and add the following lines to it:

<IfModule mpm_itk_module>
AssignUserId web1_admin web1

For example:

vi /etc/apache2/sites-available/default

NameVirtualHost *
<VirtualHost *>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                RedirectMatch ^/$ /apache2-default/

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from ::1/128

<IfModule mpm_itk_module>
AssignUserId web1_admin web1

Restart Apache afterwards:

/etc/init.d/apache2 restart

That's it!


4 Links

Share this page:

3 Comment(s)

Add comment


From: at: 2008-08-16 10:08:49

Are there any plans to include this in ISPconfig ?

 Best regards

 Allan Jacobsen

From: at: 2010-08-09 08:38:05

It has been done in ISPconfig 3.

Also, this howto should also work for Debian GNU/Linux Lenny.

From: Nikolay Ulyanitsky at: 2010-05-01 12:07:59