Run Apache with different user

In WordPress and other applications, we usually face ownership issues. Developers need their user to deploy code on server and make certain changes in files. If we give User Ownership to DEV user, this makes www-data user useless specially when WordPress tries to install or delete a Plugin or Theme, it does not work and typically show FTP user details page for changes to work.

To provide FTP user a password we need to write its credentials in a php file. This is a security threat and not a good practice to keep credentials in a file.

Now we need to provide www-data ownership recursively to all files and assign Group permissions to DEV user recursively. In this scenario the issue is that whenever Developer uploads new file or deletes previous files the User permissions are converted to DEV user instead of www-data. This again disables Wordprss to install or delete Plugin or Theme.

To counter all above issues we need to use an Apache plugin which asks Apache to run with our desired user instead of www-data. This is done on Virtual Hosts level. In each Vhost we can define our desired user with which we want to run the relevant website.

In case we do not want to run any vhost with different user and want to run it with default www-data user, we just do not need to make any changes and keep vhost as default.

 

The most commonly recommended option for this purpose is MPM-ITK (a quick hack would be to add yourself to the www-data group using “sudo usermod -a -G www-data USERNAME”)

sudo apt-get install apache2-mpm-itk
sudo a2enmod mpm_itk

Modify the virtual host config file in /etc/apache2/sites-available

<Virtualhost *:80>
ServerName HOSTNAME
ServerAdmin webmaster@site.com

<ifmodule mpm_itk_module>
AssignUserID USERNAME GROUPNAME
</ifmodule>

DocumentRoot /home/USERNAME/www/docs
ErrorLog /error/log/path/logs/error.log
CustomLog /combined/log/path/logs/access.log combined
</Virtualhost>

 

PLEASE NOTE:
If you doing this on a machine that already had a default install where MPM-PREFORK is enabled you have to disable

sudo a2dismod mpm_prefork
sudo a2enmod mpm_itk

Now bedore restarting or reloading Apache, we need to test our changes syntax by running:

apache2ctl -t

If syntax text shows OK then we can restart or reload apache

Leave a Reply

Your email address will not be published.


*