# Apache24 + vHost UID + GID



## Leander (Jun 10, 2014)

HI

My www/apache24 already runs fine with mod_suexec.so and SuexecUserGroup. Unfortunately this doesn't take action for plain HTTP requests such as browsing through files and folders with Apaches (fancy)indexing - it falls back to www:www as defined in the httpd.conf by "User www" and "Group www". My aim is to have user/group -based vHost setups. Therefore I found three interesting methods which would solve the dilemma right away:

Based on mod_perchild or mpm_itk_module (kind of unclear to me which one ...)

```
AssignUserId vhost-user vhost-group
```

Based on mod_privileges:

```
VHostUser    vhost-user
VHostGroup   vhost-group
```

Based on mpm-peruser

Unfortunately, neither of the three seems to work with FreeBSD and Apache24. So I rather want to ask for some advice here before I waste anymore time on this.
Thanks


[EDIT]: E.g.: This doesn't seem to be available for www/apache24: https://wiki.systemli.org/howto/freebsd/apache22-mpm-itk


----------



## quintessence (Jun 12, 2014)

Hello,

Try to set SuexecUserGroup inside each virtual host definition.

From documentation http://httpd.apache.org/docs/current/suexec.html:



> One way to use the suEXEC wrapper is through the SuexecUserGroup directive in VirtualHost definitions. By setting this directive to values *different* from the main server user ID, all requests for CGI resources will be executed as the User and Group defined for that <VirtualHost>. If this directive is not specified for a <VirtualHost> then the main server userid is assumed.


----------



## Leander (Jun 12, 2014)

quintessence said:
			
		

> Hello,
> 
> Try to set SuexecUserGroup inside each virtual host definition.
> 
> ...



Thanks for your reply. Unfortunately this doesn't help me any further, since this is what I have in each vHost already. Yet plain browsing through files and folders is still executed by the default user www as defined in httpd.conf. As far as I know, suEXEC is only for [f]cgi.
Chrooting / jailing is not realy an option, since updating would be a horrible/risky procedure, since the setup would become way to complex - especially if there is some more domains to server with separate users/groups.

Any more ideas? Is there really no such implementation to FreeBSD? It seems kind of hard to belive?


----------

