Running Apache VirtualHost under separate user with mpm-itk
mpm-itk allow you to run Apache VirtualHost under a specific user/group instead of under the Apache user/group. On Debian/Ubuntu Apache web server is run under user www-data. When you host multiple websites under an Apache server, running all sites under the same www-data user allows a hacker to access files of other sites if one of the sites is hacked. Having apache VirtualHost run as it own user give user-level isolation for each of your website. This also avoids permission-related errors due to apache running as a different user than the user you use to upload the files.
mpm-itk is non-threaded, it works file with mod_php. It works very similarly to mod_ruid2, which is removed from the latest Debian due to a security issue.
On Debian/Ubuntu, you can install it with
apt install libapache2-mpm-itk
During the installation, the apache module gets enabled by default, you can enable/disable it with command
a2dismod mpm_itk a2enmod mpm_itk
To activate mpm-itk, all you need to do is add the following code to the Apache VirtualHost entry of your website.
AssignUserID USERNAME GROUP
I normally create a user with the command
useradd -m --shell /bin/bash --home /home/DOMAIN_NAME USERNAME
Then create a VirtualHost like the following
vi /etc/apache2/sites-available/DOMAIN_NAME.conf
Add
ServerName DOMAIN_NAME ServerAlias www.DOMAIN_NAME ServerAdmin info@DOMAIN_NAME DocumentRoot /home/DOMAIN_NAME/html CustomLog ${APACHE_LOG_DIR}/DOMAIN_NAME.log combined ErrorLog ${APACHE_LOG_DIR}/DOMAIN_NAME-error.log Header always append X-Frame-Options SAMEORIGIN AssignUserID USERNAME USERNAME Options All -Indexes AllowOverride All Require all granted Order allow,deny allow from all
Enable VirtialHost with
a2ensite DOMAIN_NAME
Create website folders
mkdir /home/DOMAIN_NAME/html/ chown -R USERNAME:USERNAME /home/DOMAIN_NAME/ chmod -R 755 /home/DOMAIN_NAME/
Restart Apache webserver
systemctl restart apache2
Back to Apache