Running Apache VirtualHost under separate user with mpm-itk

mpm-itk allow you to run Apache VirtualHost under a specific user/group instead of under the Apache user/group. On Debian/Ubuntu Apache web server is run under user www-data. When you host multiple websites under an Apache server, running all sites under the same www-data user allows a hacker to access files of other sites if one of the sites is hacked. Having apache VirtualHost run as it own user give user-level isolation for each of your website. This also avoids permission-related errors due to apache running as a different user than the user you use to upload the files.

mpm-itk is non-threaded, it works file with mod_php. It works very similarly to mod_ruid2, which is removed from the latest Debian due to a security issue.

On Debian/Ubuntu, you can install it with

apt install libapache2-mpm-itk

During the installation, the apache module gets enabled by default, you can enable/disable it with command

a2dismod mpm_itk
a2enmod mpm_itk

To activate mpm-itk, all you need to do is add the following code to the Apache VirtualHost entry of your website.


    AssignUserID USERNAME GROUP

I normally create a user with the command

useradd -m --shell /bin/bash --home /home/DOMAIN_NAME USERNAME

Then create a VirtualHost like the following

vi /etc/apache2/sites-available/DOMAIN_NAME.conf

Add


    ServerName DOMAIN_NAME
    ServerAlias www.DOMAIN_NAME
    ServerAdmin info@DOMAIN_NAME
    DocumentRoot /home/DOMAIN_NAME/html
    CustomLog ${APACHE_LOG_DIR}/DOMAIN_NAME.log combined
    ErrorLog ${APACHE_LOG_DIR}/DOMAIN_NAME-error.log
    Header always append X-Frame-Options SAMEORIGIN
    
        AssignUserID USERNAME USERNAME
    
    
        Options All -Indexes
        AllowOverride All
        Require all granted
        Order allow,deny
        allow from all
    

Enable VirtialHost with

a2ensite DOMAIN_NAME

Create website folders

mkdir /home/DOMAIN_NAME/html/
chown -R USERNAME:USERNAME /home/DOMAIN_NAME/
chmod -R 755 /home/DOMAIN_NAME/

Restart Apache webserver

systemctl restart apache2

Back to Apache

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *