[mpm-itk] mpm-itk and mod_userdir on Apache 2.4 (Debian 9)

Patrick Proniewski patpro at patpro.net
Fri May 17 18:55:23 UTC 2019


Dave,

I do believe that Debian like any other UNIX/Linux launches a master httpd as root. This master process spawn children httpd running as www-data (www on FreeBSD, apache on CentOS, etc.). Those children handle client requests.
With mod_itk, not one but a handful of master processes are launched as root, they drop to a unprivileged account to serve client requests, the target UID/GID is defined by the AssignUserID directive (per Directory, or per VirtualHost, etc.) setup in your apache config.
You'll have to trust mod_itk with this. If you don't, just stay away from it, and use another privilege/environment separation option (Jail on FreeBSD, Docker (?) on Linux…)

patpro

> On 17 mai 2019, at 20:45, Dave Hall <kdhall at binghamton.edu> wrote:
> 
> Patrick,
> 
> Debian, by default, creates user www-data and uses this to run Apache.  Changing to run as root certainly isn't very attractive - maybe in a container.   OTOH when I set AssignUserId in a virtual host config, it seems to work.  So I guess the trick is your technique of a <Directory> section per user will probably work under Debian.
> 
> -Dave
> 
> Dave Hall
> Binghamton University
> kdhall at binghamton.edu
> 607-760-2328 (Cell)
> 607-777-4641 (Office)
> 
> 
> On 5/17/2019 2:20 PM, Patrick Proniewski wrote:
>> Hello
>> 
>> I'm using a comparable setup (on FreeBSD).
>> You are right about the default UID, it's root but you don't have anything to do about that (don't change User and Group directives in httpd.conf).
>> 
>> And you'll probably have to setup a config for every user who will publish web pages (it's what I've done).
>> I've a script to provision user accounts, this script grant student access (/etc/group), create DB, and create an apache config file (one per user):
>> 
>> modules.d/999_itk_php_<LOGIN>.conf
>> 
>> with content like this:
>> 
>> <Directory /user/<LOGIN>/public_html>
>>         AssignUserID <LOGIN> <GID>
>> </Directory>
>> 
>> Be sure to setup text-only error messages. Don't use:
>> 
>> ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
>> ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
>> ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
>> 
>> but use:
>> 
>> ErrorDocument 404 "404 file not found"
>> ErrorDocument 400 "400 HTTP_BAD_REQUEST"
>> ErrorDocument 401 "401 HTTP_UNAUTHORIZED"
>> 
>> (full explanation: <https://www.patpro.net/blog/index.php/2013/03/30/2442-track-mpm-itk-problems-with-truss/> )
>> 
>> patpro
>> 
>>> On 17 mai 2019, at 19:30, Dave Hall <kdhall at binghamton.edu> wrote:
>>> 
>>> Please pardon if this has already been discussed or solved.
>>> 
>>> I am running Apache 2.4 in an academic environment where we use mod_userdir to teach web programming.  Apparently suphp is now defunct, and php-fpm seems very burdensome for the number of users we have.
>>> 
>>> I've seen various references to using mpm-itk with userdir, but none of the examples I've found discuss where to place the config or any other requirements (i.e the startup userid for Apache - does it have to be root for ITK to work?).
>>> 
>>> Can anybody provide a detailed config for a working installation?  Alternatively, if it has been decided that userdir with mpm-itk just doesn't work, please tell me.
>>> 
>>> Thanks.
>>> 
>>> -Dave
>>> 
>>> -- 
>>> Dave Hall
>>> Binghamton University
>>> kdhall at binghamton.edu
>>> 607-760-2328 (Cell)
>>> 607-777-4641 (Office)
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> mpm-itk mailing list
>>> mpm-itk at err.no
>>> http://lists.err.no/mailman/listinfo/mpm-itk




More information about the mpm-itk mailing list