[mpm-itk] mpm-itk and mod_userdir on Apache 2.4 (Debian 9)

Kim Henriksen kh at ipimp.at
Fri May 17 22:36:26 UTC 2019


I use mod_itk + mod_userdir + mod_php

Here is a snippet from the virtual host configuration:

        SetEnvIf Request_URI (.+) ITKUID=apache ITKGID=apache
<--- default user to run as
        SetEnvIf Request_URI ^/~([a-z]+)/ ITKUID=$1
ITKGID=$1                  <--- grab username part of the "per-userdir" path
        SetEnvIf ITKUID ^root$
ITKUID=apache                                              <--- dont allow
"root"
        SetEnvIf ITKGID ^root$ ITKGID=apache
        AssignUserIDExpr %{reqenv:ITKUID}
        AssignGroupIDExpr %{reqenv:ITKGID}

Also some distros ship with PHP configured to be disabled by default in
/home/*/public_html - you will need to uncomment/remove that.

Also you need specify temp file paths, like upload path, session paths
"per-user" e.g. using .htaccess file in the /home/*/public_html folder

The directories could be paths in the users home like
/home/*/.php/{tmp,session} etc.

Also if you are using SELinux you will need to add file contexts
accordingly (httpd_user_rw_content_t)

On Fri, May 17, 2019 at 8:55 PM Patrick Proniewski <patpro at patpro.net>
wrote:

> Dave,
>
> I do believe that Debian like any other UNIX/Linux launches a master httpd
> as root. This master process spawn children httpd running as www-data (www
> on FreeBSD, apache on CentOS, etc.). Those children handle client requests.
> With mod_itk, not one but a handful of master processes are launched as
> root, they drop to a unprivileged account to serve client requests, the
> target UID/GID is defined by the AssignUserID directive (per Directory, or
> per VirtualHost, etc.) setup in your apache config.
> You'll have to trust mod_itk with this. If you don't, just stay away from
> it, and use another privilege/environment separation option (Jail on
> FreeBSD, Docker (?) on Linux…)
>
> patpro
>
> > On 17 mai 2019, at 20:45, Dave Hall <kdhall at binghamton.edu> wrote:
> >
> > Patrick,
> >
> > Debian, by default, creates user www-data and uses this to run Apache.
> Changing to run as root certainly isn't very attractive - maybe in a
> container.   OTOH when I set AssignUserId in a virtual host config, it
> seems to work.  So I guess the trick is your technique of a <Directory>
> section per user will probably work under Debian.
> >
> > -Dave
> >
> > Dave Hall
> > Binghamton University
> > kdhall at binghamton.edu
> > 607-760-2328 (Cell)
> > 607-777-4641 (Office)
> >
> >
> > On 5/17/2019 2:20 PM, Patrick Proniewski wrote:
> >> Hello
> >>
> >> I'm using a comparable setup (on FreeBSD).
> >> You are right about the default UID, it's root but you don't have
> anything to do about that (don't change User and Group directives in
> httpd.conf).
> >>
> >> And you'll probably have to setup a config for every user who will
> publish web pages (it's what I've done).
> >> I've a script to provision user accounts, this script grant student
> access (/etc/group), create DB, and create an apache config file (one per
> user):
> >>
> >> modules.d/999_itk_php_<LOGIN>.conf
> >>
> >> with content like this:
> >>
> >> <Directory /user/<LOGIN>/public_html>
> >>         AssignUserID <LOGIN> <GID>
> >> </Directory>
> >>
> >> Be sure to setup text-only error messages. Don't use:
> >>
> >> ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
> >> ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
> >> ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
> >>
> >> but use:
> >>
> >> ErrorDocument 404 "404 file not found"
> >> ErrorDocument 400 "400 HTTP_BAD_REQUEST"
> >> ErrorDocument 401 "401 HTTP_UNAUTHORIZED"
> >>
> >> (full explanation: <
> https://www.patpro.net/blog/index.php/2013/03/30/2442-track-mpm-itk-problems-with-truss/>
> )
> >>
> >> patpro
> >>
> >>> On 17 mai 2019, at 19:30, Dave Hall <kdhall at binghamton.edu> wrote:
> >>>
> >>> Please pardon if this has already been discussed or solved.
> >>>
> >>> I am running Apache 2.4 in an academic environment where we use
> mod_userdir to teach web programming.  Apparently suphp is now defunct, and
> php-fpm seems very burdensome for the number of users we have.
> >>>
> >>> I've seen various references to using mpm-itk with userdir, but none
> of the examples I've found discuss where to place the config or any other
> requirements (i.e the startup userid for Apache - does it have to be root
> for ITK to work?).
> >>>
> >>> Can anybody provide a detailed config for a working installation?
> Alternatively, if it has been decided that userdir with mpm-itk just
> doesn't work, please tell me.
> >>>
> >>> Thanks.
> >>>
> >>> -Dave
> >>>
> >>> --
> >>> Dave Hall
> >>> Binghamton University
> >>> kdhall at binghamton.edu
> >>> 607-760-2328 (Cell)
> >>> 607-777-4641 (Office)
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> mpm-itk mailing list
> >>> mpm-itk at err.no
> >>> http://lists.err.no/mailman/listinfo/mpm-itk
>
>
> _______________________________________________
> mpm-itk mailing list
> mpm-itk at err.no
> http://lists.err.no/mailman/listinfo/mpm-itk
>


-- 
Mvh.
Kim Henriksen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.err.no/pipermail/mpm-itk/attachments/20190518/281aef05/attachment-0001.html>


More information about the mpm-itk mailing list