(Very provisional homepage, I'd rather make software than make web pages :-) )
Direct download link for Apache 2.0: patch series (apply in order), or a monolithic diff (both updated 2008-07-27). Apache 2.2: patch series (apply in order), or a monolithic diff (both updated 2008-07-27, see the changelog).
Both variants now include capabilities and nicing, and should be equivalent except for what upstream version they apply to.
There is now also a user mailing list at mpm-itk [at] lists.err.no. Visit the mailing list page to subscribe, or send a blank e-mail to mpm-itk-subscribe [at] lists.err.no.
apache2-mpm-itk (just mpm-itk for short) is an MPM (Multi-Processing Module) for the Apache 2 web server (which you've probably heard of :-) ). mpm-itk allows you to run each of your vhost under a separate uid and gid -- in short, the scripts and configuration files for one vhost no longer have to be readable for all the other vhosts.
There are already MPMs available that do this, namely the perchild and Metux MPMs (the latter being based on the former, which is included in the standard Apache 2 tree). However, both have their sets of problems; for instance, both are threaded, which can be a problem for many extension modules. Second, AFAIK both have issues with listening on multiple ports (ie. SSL etc), and I don't know how well they really perform in practice. (If you only run CGI scripts, suexec will also probably solve most of your problems.)
mpm-itk is based on the traditional prefork MPM, which means it's non-threaded; in short, this means you can run non-thread-aware code (like many PHP extensions) without problems. (On the other hand, you lose out to any performance benefit you'd get with threads, of course; you'd have to decide for yourself if that's worth it or not.)
Warning: since mpm-itk has to be able to setuid(), it runs as root until the request is parsed and the vhost determined. This means that any security hole before the request is parsed will be a root security hole. (The most likely place is probably in mod_ssl...) Without implementing socket passing (which is the primary reason why perchild/metux doesn't really work well; it's complex enough in the difficult cases that nobody has bothered finished their socket passing implementation) or using some sort of special SELinux functionality, this is not going to change in the near future. UPDATE: Lennart Poettering kindly pointed out that at least under Linux, a process can drop most root privileges (like chown(), kill(), loading kernel modules etc. -- see capabilities(7) for a full list). The second patch above drops all such privileges except CAP_SETUID and CAP_SETGID, making the parent process still run as uid=0 (and being able to read files owned by uid=0 or gid=0), but at least be somewhat more limited.
There is also another minor quirk in mpm-itk, since it doesn't support forwarding between httpd instances; if you connect to httpd, make a request and then make a request on the same connection for a different vhost (this is supported as per the RFCs, as far as I know), mpm-itk simply shuts down the connection. (This is perfectly legal according to RFC2616; the web server simply simulates a timeout, and the client is supposed to just open a new connection and retry the request.) In practice this should very rarely become a problem, unless you include, say, graphics from one vhost on the pages of one with a different uid.
Note that mpm-itk is experimental software; and we've done a fair amount of stress testing, but it's nowhere as tested as, say, prefork. That being said, it's being run in production at both Studentersamfundet i Trondhjem (the ITK name comes from IT-Komiteen, the IT committee at the student society in Trondheim) and NTNU (the Norwegian University of Science and Technology, with about nine million hits a day), as well as various other places around the world, both hobbyist and commercial.
People have reported issues with mpm-itk and mod_python, mod_ruby and FastCGI. I believe the mod_python and FastCGI problems have been largely solved by updates to those packages, but as I use neither, I can't really guarantee anything. YMMV, test before use. :-)
If you can't apply a patch, you probably should not be using this. :-) However, several distributions now include mpm-itk as a choice alongside the other MPMs; in alphabetical order:
If you know of any I missed, or if you have included mpm-itk in your favourite distribution, please drop me a note (see below). I'd always be happy to expand this list :-)
The two new configuration settings compared to the prefork MPM are, per-vhost:
AssignUserID: Takes two parameters, uid and gid (or
really, user name and group name); specifies what uid and gid the
vhost will run as (after parsing the request etc., of course).
MaxClientsVHost: A separate MaxClients for the vhost.
This can be useful if, say, half of your vhosts depend on some NFS
server (like on our setup); if the NFS server goes down, you do not
want the children waiting forever on NFS to take the non-NFS-dependent
hosts down. This can thus act as a safety measure, giving "server too
busy" on the NFS-dependent vhosts while keeping the other ones
happily running. (Of course, you could use it to simply keep one site
from eating way too much resources, but there are probably better
ways of doing that.)
Note that if you do not assign a user ID, the default one from Apache will be used. (It used to be root, but that has changed in more recent releases.)
mpm-itk is licensed under the Apache License, version 2.0, like the rest of Apache.
mpm-itk is at the moment developed by Steinar H. Gunderson; e-mail address is at my home page.