Running Apache VirtualHost under separate user with mpm-itk

mpm-itk allow you to run Apache VirtualHost under a specific user/group instead of under the Apache user/group. On Debian/Ubuntu Apache web server is run under user www-data. When you host multiple websites under an Apache server, running all sites under the same www-data user allows a hacker to access files of other sites if one of the sites is hacked. Having apache VirtualHost run as it own user give user-level isolation for each of your website. This also avoids permission-related errors due to apache running as a different user than the user you use to upload the files.

mpm-itk is non-threaded, it works file with mod_php. It works very similarly to mod_ruid2, which is removed from the latest Debian due to a security issue.

On Debian/Ubuntu, you can install it with

apt install libapache2-mpm-itk

1	apt install libapache2-mpm-itk

During the installation, the apache module gets enabled by default, you can enable/disable it with command

a2dismod mpm_itk
a2enmod mpm_itk

1 2	a2dismod mpm_itk a2enmod mpm_itk

To activate mpm-itk, all you need to do is add the following code to the Apache VirtualHost entry of your website.

<IfModule itk.c>
    AssignUserID USERNAME GROUP
</IfModule>

AssignUserID USERNAME GROUP

</IfModule>

I normally create a user with the command

useradd -m --shell /bin/bash --home /home/DOMAIN_NAME USERNAME

1	useradd -m --shell /bin/bash --home /home/DOMAIN_NAME USERNAME

Then create a VirtualHost like the following

vi /etc/apache2/sites-available/DOMAIN_NAME.conf

1	vi /etc/apache2/sites-available/DOMAIN_NAME.conf

Add

<VirtualHost *:80>
    ServerName DOMAIN_NAME
    ServerAlias www.DOMAIN_NAME
    ServerAdmin info@DOMAIN_NAME
    DocumentRoot /home/DOMAIN_NAME/html
    CustomLog ${APACHE_LOG_DIR}/DOMAIN_NAME.log combined
    ErrorLog ${APACHE_LOG_DIR}/DOMAIN_NAME-error.log
    Header always append X-Frame-Options SAMEORIGIN
    <IfModule itk.c>
        AssignUserID USERNAME USERNAME
    </IfModule>
    <Directory "/home/DOMAIN_NAME/html">
        Options All -Indexes
        AllowOverride All
        Require all granted
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>

ServerName DOMAIN_NAME

ServerAlias www.DOMAIN_NAME

ServerAdmin info@DOMAIN_NAME

DocumentRoot /home/DOMAIN_NAME/html

CustomLog ${APACHE_LOG_DIR}/DOMAIN_NAME.log combined

ErrorLog ${APACHE_LOG_DIR}/DOMAIN_NAME-error.log

Header always append X-Frame-Options SAMEORIGIN

AssignUserID USERNAME USERNAME

</IfModule>

Options All -Indexes

AllowOverride All

Require all granted

Order allow,deny

allow from all

</Directory>

</VirtualHost>

Enable VirtialHost with

a2ensite DOMAIN_NAME

1	a2ensite DOMAIN_NAME

Create website folders

mkdir /home/DOMAIN_NAME/html/
chown -R USERNAME:USERNAME /home/DOMAIN_NAME/
chmod -R 755 /home/DOMAIN_NAME/

mkdir /home/DOMAIN_NAME/html/

chown -R USERNAME:USERNAME /home/DOMAIN_NAME/

chmod -R 755 /home/DOMAIN_NAME/

Restart Apache webserver

systemctl restart apache2

1	systemctl restart apache2

Back to Apache

Leave a Reply Cancel reply