The challenge with securing a shared hosting server is how to secure the website from attack both from the outside and from the inside. PHP has built-in features to help, but ultimately it s the wrong place to address the problem. Apache has built-in features too, but the performance cost of these features is prohibitive.

This has created a gap that a number of third-party solutions have attempted to fill. One solution you may have heard of is mpm-itk, by Steinar H. Gunderson. How well does it work, and how well does it perform?

  • mpm-itk: Running Apache As A Specified User
  • Installing mpm-itk
  • Configuring Apache
  • Some Benchmarks
  • Other Considerations
  • Conclusions

mpm-itk: Running Apache As A Specified User

Like mpm-peruser, mpm-itk is an alternative multi-processing module (MPM) for Apache 2.x. It also allows each website’s PHP scripts to run as a separate user. But the main difference is that it doesn’t maintain separate pools of processes for each user. Instead, after the PHP request has completed, each process is terminated, and new processes must be created to handle new requests.

Until I researched mpm-itk for this article, I didn’t realise that it didn’t recycle processes after each request. This means that there’s no chance at all of it matching mpm-peruser for performance (something I suggested was possible), but that doesn’t mean that mpm-itk is entirely without merit.

Installing mpm-itk

mpm-itk needs to be compiled into your Apache installation. It cannot be loaded as a module.

First of all, download the Apache source code, and then download either the mpm-itk patch for Apache 2.0, or the mpm-itk patch for Apache 2.2. For this article, I’m going to focus on Apache 2.2, but the same instructions should apply for Apache 2.0.

Unpack the Apache source code, apply the mpm-itk patch, and rebuild Apache’s build scripts:

$ mkdir -p /tmp/apache-itk
$ cd /tmp/apache-itk
$ wget http://www.mirrorservice.org/sites/ftp.apache.org/httpd/httpd-2.2.8.tar.gz
$ wget http://mpm-itk.sesse.net/apache2.2-mpm-itk-20080105-00.patch
$ tar -zxf httpd-2.2.8.tar.gz
$ cd httpd-2.2.8
$ patch -p1 < ../apache2.2-mpm-itk-20080105-00.patch
$ autoconf

Then, configure the Apache source code to build with mpm-itk as the chosen MPM. Make sure that you run configure with any other configuration switches that you need:

$ ./configure --with-mpm=itk

After that, compile and install Apache:

$ make ; make install

Configuring Apache

mpm-itk is very easy to configure. For each of your virtual hosts, simply add the AssignUserId entry:

<VirtualHost *:80>
ServerName www.example.com
...

<IfModule mpm_itk_module>
AssignUserId stuart stuart
</IfModule>
</VirtualHost>

AssignUserId takes two parameters:

  • The first parameter is the user ID to run Apache under for this website.
  • The second parameter is the group ID to run Apache under for this website.

Remember to restart Apache after adding AssignUserId, and you should be all set.

Some Benchmarks

To benchmark mpm-itk, I used Apache s ab benchmark to load a simple phpinfo() page 1,000 times. I ran the benchmark five times, and averaged the results.

  • mpm-itk: average of 37.01 seconds
  • mpm-prefork: average of 6.21 seconds

mpm-itk benchmarks much better than suexec and suphp, but is still quite a bit slower than mpm-peruser.

Other Considerations

It isn’t just about performance. Both suexec and suphp bring limitations to your PHP applications, but mpm-itk does not. Because mpm_itk puts the job of switching users in the right place – at the heart of Apache – it allows your code to run under mod_php. As a result, your code is free to take advantage of any Apache features that aren’t available to PHP/CGI, such as HTTP authentication support.

Another consideration is the impact on RAM and CPU. Whilst you can definitely use mpm-peruser to provide a faster solution, it does involve a lot of effort in tuning the size of the process pools for each of the websites on a shared server. On a shared hosting server, you can’t necessarily find one tuned configuration that always suits demand – and it may not be worth your time to put the effort in anyway. Although mpm-itk is slower, it doesn’t need tuning for each individual website. It’s more of a fire-and-forget solution that might appeal to hosting providers who don’t know (and don’t really need to care) what your customers websites are.

Conclusions

Although it needs to be compiled from source, mpm-itk provides the security of suexec and suphp with much greater performance than either of these solutions. Although it performs worse than mpm-peruser, mpm-itk doesn’t require as much effort to configure and tune for best performance, and its greater simplicity probably makes it better suited to shared hosting servers running a random collection of websites.

mpm-itk is an option that you should seriously consider when designing your shared hosting server solution.

This article is part of The Web Platform, an on-going series of blog posts about the environment that you need to create and nurture to run your web-based application in. If you have any topics that you d like to see covered in future articles, please leave them in the comments on this page.

35 Comments

  1. Stuart Herbert Takes a Look at apache2-mpm-itk | Mats Lindh says:
    April 29th, 2008 at 9:48 pm

    [...] Herbert has taken a closer look at apache2-mpm-itk , a patch for the apache2 prefork handler to enable Apache to switch which user [...]

  2. infernix says:
    May 13th, 2008 at 2:00 pm

    You should really have a look at php with fastcgi as well; it should perform much better than the suexec cgi solution you tried. I’d be interested in the results you get :)

  3. Alexandre says:
    July 10th, 2008 at 11:20 pm

    Is normal this?

    root 2743 0.8 3.7 23480 9712 ? Ss 23:18 0:00 /usr/sbin/apache2 -k start
    www-data 2744 0.0 1.2 19432 3108 ? S 23:18 0:00 \_ /usr/sbin/apache2 -k start
    root 2749 0.0 1.9 23480 4992 ? S 23:18 0:00 \_ /usr/sbin/apache2 -k start
    root 2750 0.0 1.9 23480 4992 ? S 23:18 0:00 \_ /usr/sbin/apache2 -k start
    root 2751 0.0 1.9 23480 4992 ? S 23:18 0:00 \_ /usr/sbin/apache2 -k start
    root 2752 0.0 1.9 23480 4992 ? S 23:18 0:00 \_ /usr/sbin/apache2 -k start
    root 2753 0.0 1.9 23480 4992 ? S 23:18 0:00 \_ /usr/sbin/apache2 -k start

  4. Centos 5 and mpm-itk | hostby.net says:
    July 12th, 2008 at 4:55 pm

    [...] Stuart Herbert discussion of the pros and cons of different solutions to this problem and his evaluation of mpm-itk i decided to look into it further.On nice solution that has been developed is mpm-peruser but that [...]

  5. Fwolf’s Blog » Blog Archive ??????????php?????? - Fwolf's Blog says:
    July 13th, 2008 at 10:50 am

    [...] suphp?suexec?????dv3.0?php5??????????suphp?????suphp_mod_php???????mpm-peruser?????????????????? [...]

  6. Linux Family » Blog Archive » Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-itk On Debian Etch says:
    August 19th, 2008 at 8:26 am

    [...] For speed considerations, take a look at http://blog.stuartherbert.com/php/2008/04/19/using-mpm-itk-to-secure-a-shared-server/. [...]

  7. Ortolafango Bertolomäo Gnorzki says:
    November 18th, 2008 at 1:52 pm

    Good article – would be even better with a PRINT VIEW of this article!

  8. itk vs peruser - wydajno?? apache - Oj, a ja taki nieuczesany… says:
    March 13th, 2009 at 12:48 am

    [...] do?? teorii, oto linki w których mo?ecie poczyta? jak konfigurowa? zarówno itk jak i peruser i przejd?my ju? do [...]

  9. Securing a shared server with mpm-itk | svedin.org says:
    April 6th, 2009 at 8:01 pm

    [...] searching for how I could secure my web server environment I came across this wonderful post. I was already used suPHP. Replacing it with mpm-itk was very simple since mpm-itk were already in [...]

  10. Jones says:
    April 11th, 2009 at 6:41 pm

    ok, guys, read this: if you try mpm_itk on debian, you will run into trouble with mod_cgid – this is what debian defaults to install, but this will not run with mpm_itk, so you need to replace it with mod_cgi – without the trailing d! As a cherry on top of this debian maintainers built a nice script a2enmod and a2dismod, which will not behave like expected – when used like “a2endmod cgi” it will reinstall mod_cgid – not mod_cgi. So you have to replace the links in /etc/apache/mods-enabled manually. Good Look!

  11. Devrim says:
    May 19th, 2009 at 5:10 pm

    Hi,

    When people come in to my vhost, they are web_guest (thanks to mpm-itk)

    When user logs in he must be : Stuart

    so i need to be able to change this from my php-application

    So my vhost directive has to change only for the logged in user Stuart (remain the same for the rest)

    From:

    AssignUserId guest_userguest_group

    To:

    AssignUserId Stuart user_group

    I’d appreciate if you could give some directions…
    Thanks,
    D

  12. Stuart Herbert says:
    May 20th, 2009 at 8:12 am

    @devrim I don’t think mpm-itk is the right solution for your problem. mpm-itk can control the Linux user that Apache runs as, but it can’t help you manage users within your PHP application.

  13. Ant says:
    June 23rd, 2009 at 10:42 am

    Not so much a good solution for Cpanel. I gave it a shot. Worked great till i went to login cpanel. Returned internal server error 500. becaue the user cpanel logs in as nobody and the user isn’t allowed.

    Also saw that no one could access the /tmp folder using sessions :(

  14. Stuart Herbert says:
    June 23rd, 2009 at 12:52 pm

    @ant: anything that relies on the user ‘nobody’ is fundamentally broken. ‘nobody’ is the user that the root user gets mapped to in more secure NFS environments.

    You shouldn’t put sessions in /tmp, but if /tmp is setup correctly, there should be no reason why mpm-itk can’t access sessions stored in there.

  15. Fuji says:
    June 27th, 2009 at 12:17 am

    Awesome group of articles Stuart. Had a couple of questions that I would love your input on

    1) mpm-itk should be compatible with opcode cachers like APC right?

    2) Have you tried php-fpm? From what I have read looks like it offers the same ability as suphp and doesnt take the performance hit (not sure if its faster than mpm-itk)

  16. Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-itk On Ubuntu 9.04 | All Free For You says:
    June 30th, 2009 at 12:27 am

    [...] For speed considerations, take a look at http://blog.stuartherbert.com/php/2008/04/19/using-mpm-itk-to-secure-a-shared-server/. [...]

  17. G.Schuster says:
    July 17th, 2009 at 1:37 am

    [quote]As a result, your code is free to take advantage of any Apache features that aren’t available to PHP/CGI, such as HTTP authentication support.[/quote]
    Well, there are ways to, at least, support HTTP auth within PHP with a little trick – Apaches RewriteMap is the key.
    For a detailled explanation (sorry, available in German only) see the following forum topic: http://forum.webhostlist.de/forum/webserver-software-linux-unix-etc/102327-howto-php_auth_user-_pw-fuer-php-cgi.html

  18. Mark says:
    August 10th, 2009 at 2:46 pm

    This is a great blog! After several pages I’m trying to combine mpm-itk with mod-fcgid on Ubuntu (Hardy). The reason is that I would like to use mpm-itk combined the ability to use per-user php.ini files. Unfortunately I’m out of luck, as soon as I use AssignUserId I get these errors in Apache’s error log:

    [emerg] (13)Permission denied: mod_fcgid: can’t get lock, pid: 9319

    Is it possible at all to combine mpm-itk with mod-fcgid? Or is there a better way to use per-user (per VirtualHost) php.ini files together with mpm-itk?

    Right now I’m using suPHP but when the server is busy this just eats my CPU.

  19. Apache ITK mit mod_php und eingener php.ini « Benjamin Börngen-Schmidt says:
    September 2nd, 2009 at 3:55 pm

    [...] Prozess, unter diesem Benutzer ausgeführt. Einen schönen einführenden Artikel zu Apache ITK hat Stuart Herbert in seinem Blog geschrieben. AssignUserID user [...]

  20. Lawrence Williams says:
    November 24th, 2009 at 3:07 pm

    Got mpm-itk working with Apache 2.2.14 on cPanel using the “series” of patches, not the monolithic one.

    Everything works well, but just a quick warning: eAccelerator doesn’t work properly and will eat through gigs of RAM in a mere few minutes (not a problem when prefork is in use).

    Haven’t tried xcache or APC yet.

  21. tech.webportfolio.hu » Installing apache2-mpm-itk on a Virtualmin based Ubuntu 8.04 says:
    March 1st, 2010 at 9:17 pm

    [...] So, I started to look for a solution, and luckily, I came across with Stuart Herbert’s Blog, and with the post of apache mpm-itk. [...]

  22. Nikolay Ulyanitsky says:
    May 1st, 2010 at 12:05 pm

    Increase Apache Vhost Security With mpm-itk In RHEL/CentOS 5

  23. Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-itk On Debian Etch | All Free For You says:
    May 13th, 2010 at 6:02 pm

    [...] For speed considerations, take a look at http://blog.stuartherbert.com/php/2008/04/19/using-mpm-itk-to-secure-a-shared-server/. [...]

  24. Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-itk On Ubuntu 9.10 | All Free For You says:
    May 14th, 2010 at 12:29 am

    [...] For speed considerations, take a look at http://blog.stuartherbert.com/php/2008/04/19/using-mpm-itk-to-secure-a-shared-server/. [...]

  25. Installing apache2-mpm-itk on a Virtualmin based Ubuntu 8.04 | Elfeledett fotósfelszerelések says:
    June 22nd, 2010 at 7:47 am

    [...] So, I started to look for a solution, and luckily, I came across with Stuart Herbert’s Blog, and with the post of apache mpm-itk. [...]

  26. Installing apache2-mpm-itk on a Virtualmin based Ubuntu 8.04 | petermolnar ~blog says:
    June 22nd, 2010 at 8:42 am

    [...] So, I started to look for a solution, and luckily, I came across with Stuart Herbert’s Blog, and with the post of apache mpm-itk. [...]

  27. Eduard Haritonov says:
    November 21st, 2010 at 9:29 pm

    Run PHP as User

    mpm-itk, mod_ruid2, Plesk

    This add-on for Parallels Plesk Panel allows to run PHP scripts as domain FTP user. It only works in conjunction with mpm-itk or mod_ruid2 Apache module. In this case standard PHP module runs scripts. This is the fastest method unlike suPHP and FastCGI commonly used for the same purpose.

    Documentation: http://helixdevelopment.com/dl/rau/1.1.1/doc/
    Order: http://helixdevelopment.com/products.html
    Trial version for Linux: http://helixdevelopment.com/dl/rau/1.1.1/eval/

    Compatible Plesk versions:
    * Plesk 8 for Linux
    * Plesk 9 for Linux
    * Plesk 10 for Linux

  28. Thoughts on MPM-ITK? says:
    November 27th, 2010 at 5:25 pm

    [...] are two very good articles that cover both itk and peruser : http://blog.stuartherbert.com/php/2008/04/19/using-mpm-itk-to-secure-a-shared-server/ http://blog.stuartherbert.com/php/2008/03/20/using-mpm-peruser-to-secure-a-shared-server/ May 31, [...]

  29. Installing apache2-mpm-itk on a Virtualmin based Ubuntu 8.04 | Péter Molnár Photography says:
    November 30th, 2010 at 7:09 pm

    [...] So, I started to look for a solution, and luckily, I came across with Stuart Herbert’s Blog, and with the post of apache mpm-itk. [...]

  30. fruity blog » Apache mpm-itk Absichern von Ubuntu 10.04 LTS Server says:
    May 7th, 2011 at 11:59 pm

    [...] guter Artikel von Stuart Herbert zu diesem Thema: Using mpm-itk To Secure A Shared Server Tool Herausgeber Steinar H. [...]

  31. Securing a shared server with mpm-itk « svedin.org says:
    May 13th, 2011 at 9:55 pm

    [...] searching for how I could secure my web server environment I came across this wonderful post. I was already used suPHP. Replacing it with mpm-itk was very simple since mpm-itk were already in [...]

  32. Alex N says:
    June 8th, 2011 at 3:27 pm

    The Xcache works with MPM ITK starting at least from Ubuntu 8.04, stock repository installation.
    This way it faster than FCGI/CGI/SUPHP approach. Simpler as well.

  33. Hosting absichern: Apache2 mit ITK-MPM | martin-mueller.info says:
    September 23rd, 2011 at 5:18 pm

    [...] Weise schon vorher die Mühe gemacht, die 5 gängigsten Varianten (suphp, mpm-peruser, mpm-itk, PHP + FastCGI und suexec + PHP + FastCGI) einem Vergleich zu unterziehen. Zwar sind die [...]

  34. Installing apache2-mpm-itk on a Virtualmin based Ubuntu 8.04 says:
    March 1st, 2012 at 9:45 am

    [...] So, I started to look for a solution, and luckily, I came across with Stuart Herbert’s Blog, and with the post of apache mpm-itk. [...]

  35. Install mpm-itk On Debian | prosoxi.com says:
    May 8th, 2012 at 12:33 pm

    [...] For speed considerations, take a look at http://blog.stuartherbert.com/php/2008/04/19/using-mpm-itk-to-secure-a-shared-server/. [...]