Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-peruser On Debian Etch - Page 2
3 Configuring apache2-mpm-peruser
In this example I will use the default Debian Apache vhost (you can find its configuration in /etc/apache2/sites-available/default) with the document root /var/www (if you have different vhosts, please adjust this to your situation), and I want this vhost to run as the user web1_admin and group web1.
If the user and group don't already exist, we can create them as follows:
groupadd web1
useradd -s /bin/false -d /home/web1_admin -m -g web1 web1_admin
Now we open the main Apache configuration (/etc/apache2/apache2.conf) and search for the section where the various MPMs (prefork, worker, etc.) are configured, and add something like this to it:
vi /etc/apache2/apache2.conf
[...] <IfModule peruser.c> ServerLimit 256 MaxClients 256 MinSpareProcessors 2 MaxProcessors 10 MaxRequestsPerChild 1000 # kill idle processors after this many seconds (0 to disable) IdleTimeout 60 # kill hung processes after this many seconds (0 to disable) ExpireTimeout 300 # set up a few multiplexer processes running as nobody Multiplexer nobody nogroup Multiplexer nobody nogroup Multiplexer nobody nogroup # Processor <user> <group> <chroot> # chroot is optional Processor web1_admin web1 </IfModule> [...] |
The Processor line is important - it tells Apache which user/group pair is allowed to run a vhost. If you have a second vhost that you want to run as user web2_admin and group web2, just add a second Processor line. You can even chroot the user/group by adding an optional directory:
[...] Processor web1_admin web1 /var/www [...] |
We must also modify our vhosts, e.g. like this:
vi /etc/apache2/sites-available/default
[...] <IfModule peruser.c> # this must match a Processor line ServerEnvironment web1_admin web1 # these are optional - defaults to the values specified above #MinSpareProcessors 4 #MaxProcessors 20 </IfModule> [...] |
This must be in a <VirtualHost></VirtualHost> container. The ServerEnvironment line must match exactly one of the Processor lines from the mpm-peruser configuration (if you have defined a chroot in the Processor line, you must list the chroot here as well, e.g.:
[...] ServerEnvironment web1_admin web1 /var/www [...] |
). This defines under which user and group this specific vhost is running.
Restart Apache afterwards:
/etc/init.d/apache2 restart
4 Rebuilding libapache2-mod-php5
Now let's rebuild libapache2-mod-php5. First we install a few prerequisites:
apt-get install apache-dev bison chrpath firebird2-dev flex freetds-dev libbz2-dev libc-client-dev libcurl3-openssl-dev libfreetype6-dev libgcrypt11-dev libgd2-xpm-dev libjpeg62-dev libmcrypt-dev libmhash-dev libmysqlclient15-dev libncurses5-dev libpam0g-dev libpng12-dev libpspell-dev librecode-dev libsnmp9-dev libsqlite0-dev libt1-dev libtidy-dev libwrap0-dev libxmltok1-dev libxml2-dev libxslt1-dev re2c unixodbc-dev automake1.4 libtool shtool
Then we get the PHP5 source package...
cd /usr/src
apt-get source php5
... and go to the source directory:
cd php5-5.2.0
Now we must tell PHP5 that it accepts either apache2-mpm-prefork or apache2-mpm-itk or apache2-mpm-peruser as a dependency. Open debian/rules:
vi debian/rules
Towards the end of the file you will find this line:
[...] echo "apache2:Depends=apache2-mpm-prefork (>> 2.0.52) | apache2-mpm-itk, apache2.2-common" >>debian/libapache2-mod-php5.substvars [...] |
Change it to:
[...] echo "apache2:Depends=apache2-mpm-prefork (>> 2.0.52) | apache2-mpm-itk | apache2-mpm-peruser, apache2.2-common" >>debian/libapache2-mod-php5.substvars [...] |
Then run
dpkg-buildpackage
to rebuild the PHP5 packages.
Let's check next what we've got now:
cd /usr/src
ls -l
server1:/usr/src# ls -l
total 28940
-rw-r--r-- 1 root src 11392 2007-10-03 19:02 apache2-mpm-itk_2.2.3-01-2.diff.gz
-rw-r--r-- 1 root src 664 2007-10-03 19:02 apache2-mpm-itk_2.2.3-01-2.dsc
-rw-r--r-- 1 root src 29071 2006-10-31 00:04 apache2-mpm-itk_2.2.3-01.orig.tar.gz
drwxr-xr-x 5 root root 4096 2008-08-16 13:40 apache2-mpm-peruser-2.2.3-01
-rw-r--r-- 1 root src 353 2008-08-16 13:36 apache2-mpm-peruser_2.2.3-01-1.dsc
-rw-r--r-- 1 root src 710 2008-08-16 13:40 apache2-mpm-peruser_2.2.3-01-1_i386.changes
-rw-r--r-- 1 root src 165438 2008-08-16 13:40 apache2-mpm-peruser_2.2.3-01-1_i386.deb
-rw-r--r-- 1 root src 50282 2008-08-16 13:36 apache2-mpm-peruser_2.2.3-01-1.tar.gz
-rw-r--r-- 1 root root 6364431 2008-03-22 10:35 apache2.tar.gz
-rw-r--r-- 1 root src 2413278 2008-08-16 14:30 libapache2-mod-php5_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 2412784 2008-08-16 14:30 libapache-mod-php5_5.2.0-8+etch11_i386.deb
drwxr-xr-x 20 root root 4096 2008-08-16 14:29 php5-5.2.0
-rw-r--r-- 1 root src 1040 2008-08-16 14:30 php5_5.2.0-8+etch11_all.deb
-rw-r--r-- 1 root src 914599 2008-08-16 13:55 php5_5.2.0-8+etch11.diff.gz
-rw-r--r-- 1 root src 1741 2008-08-16 13:55 php5_5.2.0-8+etch11.dsc
-rw-r--r-- 1 root src 4768 2008-08-16 14:30 php5_5.2.0-8+etch11_i386.changes
-rw-r--r-- 1 root src 8583491 2006-11-07 13:34 php5_5.2.0.orig.tar.gz
-rw-r--r-- 1 root src 4757790 2008-08-16 14:30 php5-cgi_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 2397698 2008-08-16 14:30 php5-cli_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 215284 2008-08-16 14:30 php5-common_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 24478 2008-08-16 14:30 php5-curl_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 344780 2008-08-16 14:30 php5-dev_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 33426 2008-08-16 14:30 php5-gd_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 34508 2008-08-16 14:30 php5-imap_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 44362 2008-08-16 14:30 php5-interbase_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 17250 2008-08-16 14:30 php5-ldap_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 12844 2008-08-16 14:30 php5-mcrypt_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 5052 2008-08-16 14:30 php5-mhash_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 64620 2008-08-16 14:30 php5-mysql_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 34060 2008-08-16 14:30 php5-odbc_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 50482 2008-08-16 14:30 php5-pgsql_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 8632 2008-08-16 14:30 php5-pspell_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 4774 2008-08-16 14:30 php5-recode_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 11308 2008-08-16 14:30 php5-snmp_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 34160 2008-08-16 14:30 php5-sqlite_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 18414 2008-08-16 14:30 php5-sybase_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 16482 2008-08-16 14:30 php5-tidy_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 36458 2008-08-16 14:30 php5-xmlrpc_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 12258 2008-08-16 14:30 php5-xsl_5.2.0-8+etch11_i386.deb
-rw-r--r-- 1 root src 311360 2008-08-16 14:30 php-pear_5.2.0-8+etch11_all.deb
server1:/usr/src#
We can install the new PHP5 packages as follows:
dpkg -i php5*.deb
dpkg -i libapache2-mod-php5_5.2.0-8+etch11_i386.deb
This time will not complain about the missing apache2-mpm-prefork package because apach2-mpm-peruser is installed which is enough for the new package.
All that is left to do is enable the PHP5 module and restart Apache:
a2enmod php5
/etc/init.d/apache2 restart
Now open the phpinfo(); page again in a browser - it should now show peruser instead of prefork in the Loaded Modules row under apache2handler:
5 Links
- mpm-peruser: http://www.telana.com/peruser.php
- Apache: http://httpd.apache.org
- Debian: http://www.debian.org