Securing Apache web server on Ubuntu Linux

Running Apache virtual hosts as different users

By default, Apache on Ubuntu executes all PHP scripts under www-data user, hence in situations where multiple mutually distrusting users have the possibility to put their PHP scripts on the server they could potentially spy on each other private data.

For example, the user user1 could put a PHP script that access file ‘file1.txt’ belonging to user2:

echo file_get_contents("/home/user2/www/file1.txt");

The obvious solution of this problem is to run PHP scripts as the user they belong to, rather then Apache’s www-data user, and fortunately there is a fairly simple way to achieve that by using apache2-mpm-itk module, that allows to run each virtual host under separate user and group.

All we have to do to install and configure apache2-mpm-itk module on Ubuntu is to run as root:

aptitude install apache2-mpm-itk

and then add AssignUserId directive to virtual host as follows:

<VirtualHost *:80>
    DocumentRoot "/home/user1/www"
        <Directory /home/user1/www>
            ....
        </Directory>
    ServerName ...
    ...
    AssignUserId <user-name> <group-name>
</VirtualHost>

and restart Apache afterwards:

/etc/init.d/apache2 restart

That’s all! To find out what user a PHP script is running as, the following code could be used:

echo system("id");

Some notes about apache2-mpm-itk module:

  • MPM is a short for Multi-Processing Module.
  • mpm-itk works with mod_php because mpm-itk is based on the traditional prefork MPM, which means it’s non-threaded
  • suExec and suPHP modules are not needed anymore

Configuring access permissions of user home folders

By default, Ubuntu creates user home directories as world readable with permissions drwxr-xr-x, so apache2-mpm-itk module would not take the desired effect until unprivileged uses is restricted from reading each other private data.

Permissions for home directories of existing users could be changed by two simple commands:

cd /home/
chmod o-rwx *

Default Ubuntu behavior could be changed by reconfiguring adduser package and selecting ‘No’ when asked whether or not your want world/system readable home directories:

dpkg-reconfigure adduser

Leave a Reply

Your email address will not be published. Required fields are marked *