Home / server / Questions / 618597
In Process
Alex R
Asked: 2014-08-07 20:34:54 +0800 CST

Apache Per-user web directories under user's own ID instead of www-data?

  • 772

Talking about this feature http://httpd.apache.org/docs/current/howto/public_html.html

Is there a way (HOW?) to have Apache take on (setuid) the ID of each "~user", instead of doing everything under the www-data userid?

There is a related question here: Apache per user permissions

In that question, one answer actually advises against doing what I'm asking:

If you were to run one apache instance for each user, and have that apache owned by the user, you'd thereby grant apache permissions to write to all of the user's directories. That's generally not considered a good idea at all.

The fact that the answerer stated that you SHOULD NOT do this, seems to imply that you CAN do it. So now I'm just asking HOW TO do it, because I have a very specific use-case that requires it, but running a separate instance for each userid is too resource-intensive. So, is there an easier way?

apache-2.4

2 Answers

  1. You might want to try Apache ITK MPM. It works like the traditional Apache prefork model, but assigns a different UID for each virtual host. And if you use Apache 2.4, you can use mod_rewrite to make ~/ paths to use the UID of that particular homedir as instructed by ITK MPM home page.

    RewriteEngine on
RewriteRule /~([a-z]+)/ - [E=ITKUID:$1]
AssignUserIDExpr %{reqenv:ITKUID}
    • 1

  2. Yes, you would enable SuExec.

    https://httpd.apache.org/docs/2.4/suexec.html

    Specifically, the section that begins Using suEXEC.

    Quoted here for convenience:

    Using suEXEC

    Requests for CGI programs will call the suEXEC wrapper only if they are for a virtual host containing a 'SuexecUserGroup' directive or if they are processed by 'mod_userdir'.

    Virtual Hosts: One way to use the suEXEC wrapper is through the 'SuexecUserGroup' directive in 'VirtualHost' definitions. By setting this directive to values different from the main server user ID, all requests for CGI resources will be executed as the User and Group defined for that ''. If this directive is not specified for a '' then the main server userid is assumed.

    User directories: Requests that are processed by 'mod_userdir' will call the suEXEC wrapper to execute CGI programs under the userid of the requested user directory. The only requirement needed for this feature to work is for CGI execution to be enabled for the user and that the script must meet the scrutiny of the security checks above. See also the '--with-suexec-userdir' compile time option.

    You'll need to insure the '--with-suexec-userdir' compile time option is enabled in your Apache build.

    • 0