Tech Guides 02 May 2007 03:42:03
Increasing Apache’s Security
While the Apache HTTP Server is a wonderful piece of software, it sadly does not have any built-in way of running vhosts as the user they represent, which has been the headache of many an admin. Either have to fiddle with groups, running multiple daemons, or something worse. In most cases, it led to users being able to access eachother’s files. There was an experimental multi-processing module called perchild designed to combat this, but it ultimately never made it into the 2.2 branch. Speak no evil of the dead, and so forth.
If one is able to apply and maybe edit a patch, one can achieve near-perfect user seperation in a single Apache process, though.
The two projects, Telana peruser by Sean Gabriel Heacock and the ITK mpm by Steinar H. Gunderson, provide such patches. Each have their own gotchas and configuration, but once you get either of them working you’ll never want to go back to running Apache as a single global user. Why neither of these have been included upstream or in major distributions, one can but wonder…