Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-itk On Debian Etch

Discussion in 'HOWTO-Related Questions' started by Paladinemishakal, Jan 20, 2009.

  1. Paladinemishakal

    Paladinemishakal New Member

    Hi All,

    I am looking at doing up a site with Apache running as different user. I have google and found the steps to do it (http://www.howtoforge.org/running-v...uids-gids-with-apache2-mpm-itk-on-debian-etch).

    I have added the directives into one of my vhost file and restarted Apache (sudo /etc/init.d/apache2 restart). I want to know how do I check if it is working as I wanted it to. I tried using "ps aux" and looking for the apache string but I found all the processes started are running either as root or www-data.

    root 2101 0.0 1.4 22724 7268 ? Ss 17:52 0:00 /usr/sbin/apache2 -k start
    www-data 2103 0.0 0.4 16248 2332 ? S 17:52 0:00 /usr/sbin/apache2 -k start
    root 2104 0.0 0.6 22724 3532 ? S 17:52 0:00 /usr/sbin/apache2 -k start
    root 2105 0.0 0.6 22724 3520 ? S 17:52 0:00 /usr/sbin/apache2 -k start
    root 2106 0.0 0.6 22724 3520 ? S 17:52 0:00 /usr/sbin/apache2 -k start
    root 2107 0.0 0.6 22724 3520 ? S 17:52 0:00 /usr/sbin/apache2 -k start
    root 2108 0.0 0.6 22724 3520 ? S 17:52 0:00 /usr/sbin/apache2 -k start

    1. Is this the correct behaviour?
    2. If the user want to restart or reload apache, how can they do that without root access?

    Regards.
     
    Paladinemishakal, Jan 20, 2009
    #1
  2. falko

    falko Super Moderator Howtoforge Staff

    Yes.
    You can remove the <IfModule mpm_itk_module> and </IfModule> lines around the AssignUserId line and restart Apache - if you don't get an error, the module is working fine (you can then insert back the lines).

    You'd have to edit the /etc/sudoers with visudo. But please note that it is a security risk if normal users are able to start/stop/restart/reload Apache - what if a user stops Apache, and you notice it only a few days later?
     
    falko, Jan 21, 2009
    #2
  3. Paladinemishakal

    Paladinemishakal New Member

    Problem solved

    Thanks for the advice. I also found out from another post in hackthissite.org and email the writer (WhiteAcid) asking how to verify it.

    To find out how to check which module is loaded in Apache2, you can do "/usr/sbin/apache2 -M" which will list out a list of the modules that are loaded. From there, look for the mpm_itk_module(static) which mean it is loaded.

    Also another way is to write a simple php script -
    <?php echo system('whoami'); ?>

    Reload the system and access the script from the browser and check the user/group.
     
    Paladinemishakal, Jan 22, 2009
    #3
  4. Nikolay Ulyanitsky

    Nikolay Ulyanitsky New Member

    Nikolay Ulyanitsky, May 1, 2010
    #4

Share This Page