On Dec 22, 2005, at 11:44 PM, <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
wrote:
Also don't most shared hosts use mod_php, not PHP/CGI? What would be
the point of PHP via CGI? mod_php works just fine. (As long as you
stay away from threads.)
security.
(sorry, this is off topic, but its a response)
shared hosts were all on mod_php for a while because thats what they
thought they should do. but a funny thing happend - they realized
that mod_php lets user_a acces all of user_b's files -- because
everything runs as the apache instance user and is read/writeable by
it. so most hosts started migrating to PHP/CGI via FasctCGI, so
account holders can more easily run their scripts as a shell user.
under mod_php, unless you're running some pretty unstable other
apache_mods, you're running every php script as that single webserver
user - which is pretty unideal for a shared system from a security
standpoint.
a few shared hosts give users the option of php4 mod_php or php5 cgi/
cgi to entice them to switch to a more secure framework without
potentially breaking all of their apps (a few commands do not work)
if you're not in a shared hosting environment, then mod_php is fine.
but, if you are, some brazillian script kid can exploit a published
vulnerability in phpGallery that another user on that machine has yet
to patch, and use it to access/overwrite anything in your web
directory. fun.
a lot of design/production firms i know are abandoning mod_php for
cgi so that 1 client project runs completely separate of other client
projects that they host.
its not a bad model security wise if you're running multiple projects
on a single machine, and can be applied to mod_perl too. on my main
production server, i have things set up like this:
user: www
runs lighttpd on port 80 as proxy / vanilla1 server
runs apache-vanilla on port 8080 for general apache sites
user: wwwapp1
runs php via lighttpd fcgi on its own directory root
user: wwwapp2
runs mod_perl2 via apache2 on port 8081 bound to localhost for a
specific code group
user:www app3
runs mod_perl2 via apache2 on port 8082 bound to localhost for a
specific code group
under this setup, my 3 webapps can't screw with each other's files.
i'm sure there's a more elegant way to do it -- but that was fast and
painless for me to set up.