Run Apache as different User is quite useful in WordPress development and WordPress hosting.
Apache runs as www-data in Debian/Ubuntu.
However, this is not convenient in a WordPress installation:
On the production server
- Many WordPress files must be owned by the SSH/SFTP user in order to apply changes
- Most WordPress must be owned by the Web Server user, so WordPress updates can be applied
Even more so in a development environment
Except for the above reasons, Many WordPress files must be owned by the PC user in order
- to process the code with your IDE
- to use git (if needed)
- to make backups easily
Run Apache as different User with mpm-itk
There are several solutions to this problem. One of these is mpm-itk.
According to the official page:
apache2-mpm-itk (just mpm-itk for short) is an MPM (Multi-Processing Module) for the Apache web server. mpm-itk allows you to run each of your vhost under a separate uid and gid—in short, the scripts and configuration files for one vhost no longer have to be readable for all the other vhosts.
Just install it:
apt-get install libapache2-mpm-itk
and use the following directives in your vhost config file:
<IfModule mpm_itk_module>
AssignUserId your_user your_group
</IfModule>
For example:
<VirtualHost *:443>
ServerName example.com
ServerAdmin you@your_email.com
DocumentRoot /var/www/html/example.com
<IfModule mpm_itk_module>
AssignUserId your_user your_group
</IfModule>
<Directory /var/www/html/example.com>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/example.com_error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/example.com_access.log combined
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|png)$ \ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ \no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SSLEngine on
SSLCertificateFile /etc/ssl-dev/your_cert.pem
SSLCertificateKeyFile /etc/ssl-dev/your_cert_key.pem
</VirtualHost>
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
Problems with Docker
It will not run in a Docker container.
In Apache error.log you will get an error like this:
[mpm_itk:warn] [pid 1783] (itkmpm: pid=1783 uid=33, gid=33) itk_post_perdir_config(): setgid(1000): Operation not permitted
The solution is to run the container with different permissions (less secure – not recommended on production)
docker run \
--name "my-container" \
--cap-add=SYS_NICE --cap-add=DAC_READ_SEARCH \
vendor/image
More info here.
Problems with PHP mail function and Exim4
The PHP mail function does not work with exim4 if you have libapache2-mpm-itk installed(!)
exim crashes when WordPress was trying to send email and in the paniclog (/var/log/exim4/paniclog) you will see something like this:
2023-01-30 19:25:27 unable to set gid=33 or uid=0 (euid=0): forcing real = effective
According to
- the official page of mpm-itk
- and this resource
the solution is to add LimitUIDRange 0 2000 in Apache configuration.
nano /etc/apache2/conf-available/mpm_itk_with_php_mail.conf
add the directive:
LimitUIDRange 0 2000
and finally:
a2enconf mpm_itk_with_php_mail
systemctl restart apache2.service
(probably insecure for production use)
Entrepreneur | Full-stack developer | Founder of MediSign Ltd. I have over 15 years of professional experience designing and developing web applications. I am also very experienced in managing (web) projects.
