Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-itk On Debian Etch
Author: Falko Timme
This article explains how you can install and configure apache2-mpm-itk on a Debian Etch server. apache2-mpm-itk is an MPM (Multi-Processing Module) for the Apache 2 web server. mpm-itk allows you to run each of your vhost under a separate UID and GID - in short, the scripts and configuration files for one vhost no longer have to be readable for all the other vhosts. mpm-itk works with mod_php because mpm-itk is based on the traditional prefork MPM, which means it's non-threaded. This means you don't need to use suExec or suPHP anymore to run a website's PHP scripts as a separate user.
This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!
1 Preliminary Note
I'm assuming you have a working Apache2 installation with mod_php on your Debian Etch server.
For speed considerations, take a look at http://blog.stuartherbert.com/php/2008/04/19/using-mpm-itk-to-secure-a-shared-server/.
For security considerations, please visit http://mpm-itk.sesse.net/.
2 Installing apache2-mpm-itk
apache2-mpm-itk is available as a Debian package for Debian Etch, so all we have to do is run
apt-get install apache2-mpm-itk
3 Configuring apache2-mpm-itk
apache2-mpm-itk is configured on a per-vhost basis, i.e., we don't have to set any global options, and there's only one directive we need to set in a vhost, AssignUserId, which takes two parameters, the user name and the group that the vhost will run as.
In this example I will use the default Debian Apache vhost (you can find its configuration in /etc/apache2/sites-available/default) with the document root /var/www (if you have different vhosts, please adjust this to your situation), and I want this vhost to run as the user web1_admin and group web1.
If the user and group don't already exist, we can create them as follows:
useradd -s /bin/false -d /home/web1_admin -m -g web1 web1_admin
Then we open our vhost configuration and add the following lines to it:
[...] <IfModule mpm_itk_module> AssignUserId web1_admin web1 </IfModule> [...]
NameVirtualHost * <VirtualHost *> ServerAdmin [email protected] DocumentRoot /var/www/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all # This directive allows us to have apache2's default start page # in /apache2-default/, but still have / go to the right place RedirectMatch ^/$ /apache2-default/ </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> <IfModule mpm_itk_module> AssignUserId web1_admin web1 </IfModule> </VirtualHost>
Restart Apache afterwards: