Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-peruser On Debian Etch - Page 2

3 Configuring apache2-mpm-peruser

In this example I will use the default Debian Apache vhost (you can find its configuration in /etc/apache2/sites-available/default) with the document root /var/www (if you have different vhosts, please adjust this to your situation), and I want this vhost to run as the user web1_admin and group web1.

If the user and group don't already exist, we can create them as follows:

groupadd web1
useradd -s /bin/false -d /home/web1_admin -m -g web1 web1_admin

Now we open the main Apache configuration (/etc/apache2/apache2.conf) and search for the section where the various MPMs (prefork, worker, etc.) are configured, and add something like this to it:

vi /etc/apache2/apache2.conf

[...]
<IfModule peruser.c>
ServerLimit 256
MaxClients 256
MinSpareProcessors 2
MaxProcessors 10
MaxRequestsPerChild 1000
# kill idle processors after this many seconds (0 to disable)
IdleTimeout 60
# kill hung processes after this many seconds (0 to disable)
ExpireTimeout 300
# set up a few multiplexer processes running as nobody
Multiplexer nobody nogroup
Multiplexer nobody nogroup
Multiplexer nobody nogroup
# Processor <user> <group> <chroot>
# chroot is optional
Processor web1_admin web1
</IfModule>
[...]

The Processor line is important - it tells Apache which user/group pair is allowed to run a vhost. If you have a second vhost that you want to run as user web2_admin and group web2, just add a second Processor line. You can even chroot the user/group by adding an optional directory:

[...]
Processor web1_admin web1 /var/www
[...]

We must also modify our vhosts, e.g. like this:

vi /etc/apache2/sites-available/default

[...]
<IfModule peruser.c>
# this must match a Processor line
ServerEnvironment web1_admin web1
# these are optional - defaults to the values specified above
#MinSpareProcessors 4
#MaxProcessors 20
</IfModule>
[...]

This must be in a <VirtualHost></VirtualHost> container. The ServerEnvironment line must match exactly one of the Processor lines from the mpm-peruser configuration (if you have defined a chroot in the Processor line, you must list the chroot here as well, e.g.:

[...]
ServerEnvironment web1_admin web1 /var/www
[...]

). This defines under which user and group this specific vhost is running.

Restart Apache afterwards:

/etc/init.d/apache2 restart

 

4 Rebuilding libapache2-mod-php5

Now let's rebuild libapache2-mod-php5. First we install a few prerequisites:

apt-get install apache-dev bison chrpath firebird2-dev flex freetds-dev libbz2-dev libc-client-dev libcurl3-openssl-dev libfreetype6-dev libgcrypt11-dev libgd2-xpm-dev libjpeg62-dev libmcrypt-dev libmhash-dev libmysqlclient15-dev libncurses5-dev libpam0g-dev libpng12-dev libpspell-dev librecode-dev libsnmp9-dev libsqlite0-dev libt1-dev libtidy-dev libwrap0-dev libxmltok1-dev libxml2-dev libxslt1-dev re2c unixodbc-dev automake1.4 libtool shtool

Then we get the PHP5 source package...

cd /usr/src
apt-get source php5

... and go to the source directory:

cd php5-5.2.0

Now we must tell PHP5 that it accepts either apache2-mpm-prefork or apache2-mpm-itk or apache2-mpm-peruser as a dependency. Open debian/rules:

vi debian/rules

Towards the end of the file you will find this line:

[...]
echo "apache2:Depends=apache2-mpm-prefork (>> 2.0.52) | apache2-mpm-itk, apache2.2-common" >>debian/libapache2-mod-php5.substvars
[...]

Change it to:

[...]
echo "apache2:Depends=apache2-mpm-prefork (>> 2.0.52) | apache2-mpm-itk | apache2-mpm-peruser, apache2.2-common" >>debian/libapache2-mod-php5.substvars
[...]

Then run

dpkg-buildpackage

to rebuild the PHP5 packages.

Let's check next what we've got now:

cd /usr/src
ls -l

server1:/usr/src# ls -l
total 28940
-rw-r--r--  1 root src    11392 2007-10-03 19:02 apache2-mpm-itk_2.2.3-01-2.diff.gz
-rw-r--r--  1 root src      664 2007-10-03 19:02 apache2-mpm-itk_2.2.3-01-2.dsc
-rw-r--r--  1 root src    29071 2006-10-31 00:04 apache2-mpm-itk_2.2.3-01.orig.tar.gz
drwxr-xr-x  5 root root    4096 2008-08-16 13:40 apache2-mpm-peruser-2.2.3-01
-rw-r--r--  1 root src      353 2008-08-16 13:36 apache2-mpm-peruser_2.2.3-01-1.dsc
-rw-r--r--  1 root src      710 2008-08-16 13:40 apache2-mpm-peruser_2.2.3-01-1_i386.changes
-rw-r--r--  1 root src   165438 2008-08-16 13:40 apache2-mpm-peruser_2.2.3-01-1_i386.deb
-rw-r--r--  1 root src    50282 2008-08-16 13:36 apache2-mpm-peruser_2.2.3-01-1.tar.gz
-rw-r--r--  1 root root 6364431 2008-03-22 10:35 apache2.tar.gz
-rw-r--r--  1 root src  2413278 2008-08-16 14:30 libapache2-mod-php5_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src  2412784 2008-08-16 14:30 libapache-mod-php5_5.2.0-8+etch11_i386.deb
drwxr-xr-x 20 root root    4096 2008-08-16 14:29 php5-5.2.0
-rw-r--r--  1 root src     1040 2008-08-16 14:30 php5_5.2.0-8+etch11_all.deb
-rw-r--r--  1 root src   914599 2008-08-16 13:55 php5_5.2.0-8+etch11.diff.gz
-rw-r--r--  1 root src     1741 2008-08-16 13:55 php5_5.2.0-8+etch11.dsc
-rw-r--r--  1 root src     4768 2008-08-16 14:30 php5_5.2.0-8+etch11_i386.changes
-rw-r--r--  1 root src  8583491 2006-11-07 13:34 php5_5.2.0.orig.tar.gz
-rw-r--r--  1 root src  4757790 2008-08-16 14:30 php5-cgi_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src  2397698 2008-08-16 14:30 php5-cli_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src   215284 2008-08-16 14:30 php5-common_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    24478 2008-08-16 14:30 php5-curl_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src   344780 2008-08-16 14:30 php5-dev_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    33426 2008-08-16 14:30 php5-gd_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    34508 2008-08-16 14:30 php5-imap_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    44362 2008-08-16 14:30 php5-interbase_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    17250 2008-08-16 14:30 php5-ldap_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    12844 2008-08-16 14:30 php5-mcrypt_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src     5052 2008-08-16 14:30 php5-mhash_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    64620 2008-08-16 14:30 php5-mysql_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    34060 2008-08-16 14:30 php5-odbc_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    50482 2008-08-16 14:30 php5-pgsql_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src     8632 2008-08-16 14:30 php5-pspell_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src     4774 2008-08-16 14:30 php5-recode_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    11308 2008-08-16 14:30 php5-snmp_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    34160 2008-08-16 14:30 php5-sqlite_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    18414 2008-08-16 14:30 php5-sybase_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    16482 2008-08-16 14:30 php5-tidy_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    36458 2008-08-16 14:30 php5-xmlrpc_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src    12258 2008-08-16 14:30 php5-xsl_5.2.0-8+etch11_i386.deb
-rw-r--r--  1 root src   311360 2008-08-16 14:30 php-pear_5.2.0-8+etch11_all.deb
server1:/usr/src#

We can install the new PHP5 packages as follows:

dpkg -i php5*.deb
dpkg -i libapache2-mod-php5_5.2.0-8+etch11_i386.deb

This time will not complain about the missing apache2-mpm-prefork package because apach2-mpm-peruser is installed which is enough for the new package.

All that is left to do is enable the PHP5 module and restart Apache:

a2enmod php5
/etc/init.d/apache2 restart

Now open the phpinfo(); page again in a browser - it should now show peruser instead of prefork in the Loaded Modules row under apache2handler:

Falko Timme

About Falko Timme

Falko Timme is an experienced Linux administrator and founder of Timme Hosting, a leading nginx business hosting company in Germany. He is one of the most active authors on HowtoForge since 2005 and one of the core developers of ISPConfig since 2000. He has also contributed to the O'Reilly book "Linux System Administration".

Share this page:

Suggested articles

0 Comment(s)

Add comment