Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-itk On Ubuntu 9.10

Version 1.0
Author: Falko Timme

This article explains how you can install and configure apache2-mpm-itk on an Ubuntu 9.10 server. apache2-mpm-itk is an MPM (Multi-Processing Module) for the Apache 2 web server. mpm-itk allows you to run each of your vhost under a separate UID and GID - in short, the scripts and configuration files for one vhost no longer have to be readable for all the other vhosts. mpm-itk works with mod_php because mpm-itk is based on the traditional prefork MPM, which means it's non-threaded. This means you don't need to use suExec or suPHP anymore to run a website's PHP scripts as a separate user.

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I'm assuming you have a working Apache2 installation with mod_php on your Ubuntu 9.10 server.

For speed considerations, take a look at http://blog.stuartherbert.com/php/2008/04/19/using-mpm-itk-to-secure-a-shared-server/.

For security considerations, please visit http://mpm-itk.sesse.net/.

I'm running all the steps in this tutorial with root privileges, so make sure you're logged in as root:

sudo su

 

2 Installing apache2-mpm-itk

apache2-mpm-itk is available as a .deb package for Ubuntu 9.10, so all we have to do is run

aptitude install apache2-mpm-itk

 

3 Configuring apache2-mpm-itk

apache2-mpm-itk is configured on a per-vhost basis, i.e., we don't have to set any global options, and there's only one directive we need to set in a vhost, AssignUserId, which takes two parameters, the user name and the group that the vhost will run as.

In this example I will use the default Ubuntu Apache vhost (you can find its configuration in /etc/apache2/sites-available/default) with the document root /var/www (if you have different vhosts, please adjust this to your situation), and I want this vhost to run as the user web1_admin and group web1.

If the user and group don't already exist, we can create them as follows:

groupadd web1
useradd -s /bin/false -d /home/web1_admin -m -g web1 web1_admin

Then we open our vhost configuration and add the following lines to it:

[...]
<IfModule mpm_itk_module>
AssignUserId web1_admin web1
</IfModule>
[...]

For example:

vi /etc/apache2/sites-available/default

<VirtualHost *:80>
        ServerAdmin [email protected]

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>
    <IfModule mpm_itk_module>
        AssignUserId web1_admin web1
    </IfModule>
</VirtualHost>

Restart Apache afterwards:

/etc/init.d/apache2 restart

That's it!

 

Falko Timme

About Falko Timme

Falko Timme is an experienced Linux administrator and founder of Timme Hosting, a leading nginx business hosting company in Germany. He is one of the most active authors on HowtoForge since 2005 and one of the core developers of ISPConfig since 2000. He has also contributed to the O'Reilly book "Linux System Administration".

Share this page:

Suggested articles

1 Comment(s)

Add comment

Comments

By: borekon

In debian 9, the command to install is sudo apt-get install libapache2-mpm-itk