0

Right now on an Ubuntu 14.04 server, WordPress (and Apache2) creates folders with www-data:www-data owner:group. The goal is to have Apache create files with different owners depending on which site it's serving. wp_one:www-data within one WordPress instance, wp_two:www-data within a second WordPress instance.

Changing the APACHE_RUN_USER value within /etc/apache2/envvars would work if only one user was required. But each WordPress instance requires a different owner.

The logical place seems to be within the Virtual Host conf file for each site. But I can't quite pull it off.

What is the syntax for adding an owner that Apache will respect within the virtual host?

This doesn't work:

<Directory /var/www/wpone> export APACHE_RUN_USER=wp_one </Directory>

nor this:

<Directory /var/www/wpone> User: name="wp_one" </Directory>

I'd like to run many WP instances from a single server, each with different owners isolated from each other. My permission problems could be solved by adding the owners to the www-data group, but then each would have too much access to the other WP instances on the server.

Improve this question
1

1 Answer 1

Reset to default
1

You can use apache2-mpm-itk instead

Prepare test environment 

# useradd -d /vhosts/wp1.example.net/ wp1 # mkdir -p /vhosts/wp1.example.net/public_html # mkdir -p /vhosts/wp1.example.net/temp # chmod 770 /vhosts/wp1.example.net/ # chown -R wp1:wp1 /vhosts/wp1.example.net/

Create test virtual host

<VirtualHost *:80> ServerName wp1.example.net ServerAdmin webmaster@localhost DocumentRoot /vhosts/wp1.example.net/public_html php_admin_value upload_tmp_dir /vhosts/wp1.example.net/tmp/ php_admin_value session.save_path /vhosts/wp1.example.net/tmp/ AssignUserID wp1 wp1 <Directory /vhosts/wp1.example.net/public_html> Options -Indexes AllowOverride all Require all granted </Directory> </VirtualHost>

Create sample script

# cat test.php <?php echo exec('id');

Basic test

# curl http://wp1.example.net/test.php uid=1004(wp1) gid=1004(wp1) groups=1004(wp1)
Improve this answer
6
  • That would work. But it appears that the security downsides may be worse than the security problem I'm trying to prevent. The Apache Wiki, linked to in the mpm-itk documentation, has this to say: "MPM-ITK, on the other hand, processes request headers under root, switches to the target userid, and then kills the httpd process when finished serving the connection. As discussed above, this has serious security and performance implications." Commented Mar 7, 2016 at 19:07
  • I had never seen any performance issues with itk. I have been using mpm-itk with custom patch to server 2k+ vhosts with WP/Drupal/Joomla for 5 years. Commented Mar 7, 2016 at 19:18
  • It's not performance so much as security that concerns me. I see that it's harder than I thought. Perhaps I should run periodic root cron jobs that, for each instance, run something like: sudo chown -R wp_one:www-data /var/www/wpone/.../uploads/ Commented Mar 7, 2016 at 22:17
  • As you wish, but i never heard about critical vulnerability in mpm-itk. But heard a lot in WP ;) Commented Mar 7, 2016 at 23:45
  • WP insecurities? Tell me about it! :) It's why I really don't want any one user to be able to break out of their web root. But I have script kiddies pounding on my boxes day and night. I'm not anxious to introduce another attack surface. Commented Mar 8, 2016 at 1:03

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.