[mpm-itk] problem with authentication (AuthType Basic...)

Patrick Proniewski patpro at patpro.net
Thu Mar 28 17:13:02 CET 2013


I've just deployed apache 2.2 with mpm-itk in production (~35 vhosts, 250 web sites) and discovered a serious issue.
As you can read, I've got more web sites than vhosts, so basically, for some vhosts I have many web sites:

<vhost number 1>
	# global directives
	# default user:group
	AssignUserID www www

	<directory #1>
		# local user:group
		AssignUserID user1 www
	<directory #2>
		# local user:group
		AssignUserID user2 www
	# and so on

Works great, until some user tries to use authentication (.htaccess for example). Something quite simlpe like this will fail: 

	AuthType Basic 
	AuthName "foo bar" 
	AuthUserFile /tmp/patpro.passwd 
	AuthGroupFile /tmp/patpro.group 
	Require group admin 

The symptom is quite clear: 

[warn] Couldn't set uid/gid/priority, closing connection.
[warn] (itkmpm: pid=82842 uid=1002, gid=80) itk_post_perdir_config(): initgroups(www, 80): Operation not permitted

When I GET a web page into http://vhost #1/directory #1/ httpd process takes UID user1 and GID www (80), then the process tries to trigger authentication. This authentication process seems to relate to vhost #1, so httpd process tries to switch to UID www, and fails.
I understand it's perfectly "legal", but I need a way out, a workaround, to allow my users to use authentication...

Any idea?


More information about the mpm-itk mailing list