In this scrap i will let you to know about an important apache module called Apache2 MPM-itk
.This will be one of the usefull apache module for shared hosting providers and can be replacement of suEXEC
Now Lets have information about current apache environment :
When you start the apache server, first a parent process will starts with username as root and then for further requests to the server ( to virtual host) the client process will froked by the parent process.The client process will runs as nobody (or) as apache (according to the setting of User
option in httpd.conf).Since all client process runs as nobody, files and scripts of a virtualhost is executed under name of nobody.
The drawbacks of this environment :
PHP scripts of virtualhost also runs nobody,so if a vulnerable PHP script runs in your server you cannot identify the user under which the script runs.If the virtualhost has python and perl scripts this will also runs as nobody
To overcome this issue you can use suEXEC and suPHP ( currently used in most of the servers/VPS ).When you use suEXEC or suPHP the php scripts will runs under the owner of the virtualhost.since the PHP scripts runs with user permission,the vulnerable PHP script can be tracked.
The drawbacks of suEXEC and suPHP:
suEXEC requires execute permission for the user
suEXEC/suPHP only supports PHP script or dynamic files.
Issues still exists :
1)Still python,perl,CGI scripts,HTML files,images are executed by apache process which under user nobody.
2)Still you are not known about which vitrualhost consumes high processing/memory
Final Solution is Apache2 MPM-itk
For the above issues ,the solution is that the httpd process which handles the request for a virtualhost,must be set with username of the virtualhost owner and this is done by Apache2 MPM-itk
. That is when you install Apache2 MPM-itk
,then the httpd process which handles request for a virtualhost will runs under the owner of virulahost .
Advantages of using Apache2 MPM-itk :
1)The virtualhost which consumes high resources (CPU/Memory) can be tracked
2)Can be used as mojor replacement of suEXEC/suPHP
3)All dynamic scripts (PHP,python,perl,CGI) and static files (HTML,image file) will be processed under the user who owns it