Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-itk On Debian Etch

Version 1.0
Author: Falko Timme

This article explains how you can install and configure apache2-mpm-itk on a Debian Etch server. apache2-mpm-itk is an MPM (Multi-Processing Module) for the Apache 2 web server. mpm-itk allows you to run each of your vhost under a separate UID and GID - in short, the scripts and configuration files for one vhost no longer have to be readable for all the other vhosts. mpm-itk works with mod_php because mpm-itk is based on the traditional prefork MPM, which means it's non-threaded. This means you don't need to use suExec or suPHP anymore to run a website's PHP scripts as a separate user.

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I'm assuming you have a working Apache2 installation with mod_php on your Debian Etch server.

For speed considerations, take a look at http://blog.stuartherbert.com/php/2008/04/19/using-mpm-itk-to-secure-a-shared-server/.

For security considerations, please visit http://mpm-itk.sesse.net/.

 

2 Installing apache2-mpm-itk

apache2-mpm-itk is available as a Debian package for Debian Etch, so all we have to do is run

apt-get install apache2-mpm-itk

 

3 Configuring apache2-mpm-itk

apache2-mpm-itk is configured on a per-vhost basis, i.e., we don't have to set any global options, and there's only one directive we need to set in a vhost, AssignUserId, which takes two parameters, the user name and the group that the vhost will run as.

In this example I will use the default Debian Apache vhost (you can find its configuration in /etc/apache2/sites-available/default) with the document root /var/www (if you have different vhosts, please adjust this to your situation), and I want this vhost to run as the user web1_admin and group web1.

If the user and group don't already exist, we can create them as follows:

groupadd web1
useradd -s /bin/false -d /home/web1_admin -m -g web1 web1_admin

Then we open our vhost configuration and add the following lines to it:

[...]
<IfModule mpm_itk_module>
AssignUserId web1_admin web1
</IfModule>
[...]

For example:

vi /etc/apache2/sites-available/default
NameVirtualHost *
<VirtualHost *>
        ServerAdmin [email protected]

        DocumentRoot /var/www/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                RedirectMatch ^/$ /apache2-default/
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

<IfModule mpm_itk_module>
AssignUserId web1_admin web1
</IfModule>
</VirtualHost>

Restart Apache afterwards:

/etc/init.d/apache2 restart

That's it!

 

4 Links

Share this page:

6 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By:
Reply  

Are there any plans to include this in ISPconfig ?

 Best regards

 Allan Jacobsen

By:
Reply  

It has been done in ISPconfig 3.

Also, this howto should also work for Debian GNU/Linux Lenny.

By: Nikolay Ulyanitsky
Reply  
By: KEMBL
Reply  

Thank you, but IfModule mpm_itk_module - is a bad idea, one perfect day mpm_itk_module will gone and apache start to work with default credentials :)

By: Greg
Reply  

Great, though I'd suggest indenting these lines:

<IfModule mpm_itk_module> AssignUserId web1_admin web1 </IfModule>

..so that they appear to be within the <VirtualHost> block,as I believe that is important to convey these settings should onlyaffect this virtualhost, and not others.

By: till
Reply  

The indention of the lines does not matter in Apache config files (unlike e.g. .yml files of other software packages, where indention matters). For Apache it only matters that the lines are before the closing </VirtualHost> line, which is the case here.