Ubuntu – Correctly setup apache virtual hosts with multiple users


Thanks in advance for any help you may provide. I've self taught myself using linux (ubuntu), apache, virtual hosts and a few bits with regards to security, though I've yet to put these all together seamlessly.

I've also learnt the hard way from mistakes made in the past with regards to not setting up user accounts and sites/virtualhosts correctly. I ssh into the server as root (I know, very bad), and created all the virtual hosts and files manually, thus all being owned by root. I've had an old version of joomla exploited and malicious spam code inserted in all my other virtual hosts.

I'm in the process of moving to a new server and am looking for the correct steps to follow with regards to setting up virtual hosts and users accounts that can access them. Because we use 3rd party software, we have on a occasion needed someone else to ftp into the site to investigate their website files.

Our current server is version 10.04, however the new server is version 12.04. All website files are setup under





In short, I guess this is what I'm after.

  1. How do I correctly setup a virtual host and user, so that it only has access to its own files, and not any other virtual host on the server. For example, should that site get exploited with malicious code, it can't infect other sites on the server

  2. How would I setup users so that they can only ftp into their given files and not access any of the other sites.

As mentioned before, there are numerous articles detailing how to do any one of these steps, but nothing that brings them seamlessly together.

Really appreciate the help anyone can offer. Please feel free to ask for any additional information you may need to give advise. I'm currently following tutorials to setup chroot, however I fear I'm not doing this correctly as I've picked up a few inconsistencies along the way. Am also investigating jailkit.

Best Answer

Since question is the top search result in google when asked "apache virtual host separate user", I'd like to give a more elaborate answer based on this answer. My answer does not cover the usecase of PHP and CGI (you would use suPHP). It focuses on PHP when used as an apache module.

You can use the apache module apache2-mpm-itk. It is available for the current version of apache 2.4. It comes with the directive AssignUserID. This directive defines the user and group a virtual host's request is handled with. This is an example of the apache site configuration I ended up with:

<VirtualHost *:80>
ServerName www.site1.com
DocumentRoot /home/www/site1.com
AssignUserID site1 www-data
php_admin_value open_basedir /home/www/site1.com

Of course, this does only improve security as long as the individual DocumentRoots are owned by their respective users and are not group accesible. For further PHP-related security, scripts are jailed in the DocumentRoot with the open_basedir restriction. As for the backend file access, I prefer SFTP with chroot.

Note: apache2-mpm-itk is currently incompatible with Apache's http2 module.