Building and using Apache MPM ITK for improved security in shared hosting environments
Apache2-mpm-itk provides a modified httpd daemon that allows each web site (vhost) in a shared hosting environment to run under a separate user account.
By default, without a solution like mpm-itk, all web sites run under the "apache" user account. If all web sites are managed by the same entity, this is not necessarily a big issue. However, if the content of these sites is managed by more than one entity, or if one of those sites is hacked, there are serious security implications.
In order for the apache daemon (httpd) to be able to serve-up content and execute PHP for all of the web sites it hosts, all files must be readable by the "apache" user. This includes:
Features within PHP designed to mitigate these problems, such as Safe Mode, are next to useless and can provide a false sense of security. These features are trivial to bypass. Consequently, Safe Mode itself has been removed from PHP 5.4 and above.
Anyone familiar with how a traditional Unix SMTP MTA delivers mail to local users will be familiar with the basic mechanics of mpm-itk. Instead of running as the "apache" user, httpd runs as root, but with limited privileges.
The spec file can be downloaded from the original source. For those more security conscious, this is a patch against the current (2.2.3-65) httpd.spec, complete with explanation:
To use the ITK MPM, you'll need to modify your Apache startup configuration:
When using worker MPM with PHP, special considerations apply:
Each virtual host runs under its own user account, preventing cross-site access to sensitive files and configurations.
Faster than CGI solutions like suexec while maintaining security isolation between different hosted sites.
Safely use non-thread-aware code and PHP extensions that wouldn't work properly in threaded environments.
Our technical team has extensive experience with Apache MPM configurations and can help you implement secure hosting solutions.