Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-itk On Ubuntu 9.04

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 05/22/2009

This article explains how you can install and configure apache2-mpm-itk on an Ubuntu 9.04 server. apache2-mpm-itk is an MPM (Multi-Processing Module) for the Apache 2 web server. mpm-itk allows you to run each of your vhost under a separate UID and GID - in short, the scripts and configuration files for one vhost no longer have to be readable for all the other vhosts. mpm-itk works with mod_php because mpm-itk is based on the traditional prefork MPM, which means it's non-threaded. This means you don't need to use suExec or suPHP anymore to run a website's PHP scripts as a separate user.

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!

1 Preliminary Note

I'm assuming you have a working Apache2 installation with mod_php on your Ubuntu 9.04 server.

For speed considerations, take a look at http://blog.stuartherbert.com/php/2008/04/19/using-mpm-itk-to-secure-a-shared-server/.

For security considerations, please visit http://mpm-itk.sesse.net/.

I'm running all the steps in this tutorial with root privileges, so make sure you're logged in as root:

sudo su

2 Installing apache2-mpm-itk

apache2-mpm-itk is available as a .deb package for Ubuntu 9.04, so all we have to do is run

aptitude install apache2-mpm-itk

3 Configuring apache2-mpm-itk

apache2-mpm-itk is configured on a per-vhost basis, i.e., we don't have to set any global options, and there's only one directive we need to set in a vhost, AssignUserId, which takes two parameters, the user name and the group that the vhost will run as.

In this example I will use the default Ubuntu Apache vhost (you can find its configuration in /etc/apache2/sites-available/default) with the document root /var/www (if you have different vhosts, please adjust this to your situation), and I want this vhost to run as the user web1_admin and group web1.

If the user and group don't already exist, we can create them as follows:

groupadd web1
useradd -s /bin/false -d /home/web1_admin -m -g web1 web1_admin

Then we open our vhost configuration and add the following lines to it:

[...]
<IfModule mpm_itk_module>
AssignUserId web1_admin web1
</IfModule>
[...]

For example:

vi /etc/apache2/sites-available/default

<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>
    <IfModule mpm_itk_module>
        AssignUserId web1_admin web1
    </IfModule>
</VirtualHost>

Restart Apache afterwards:

/etc/init.d/apache2 restart

That's it!

4 Links

• apache2-mpm-itk: http://mpm-itk.sesse.net/
• Apache: http://httpd.apache.org/
• Ubuntu: http://www.ubuntu.com/