Re: mod_perl without persistent interpreter state?

Thu, 22 Dec 2005 22:11:13 -0800
On Dec 22, 2005, at 11:44 PM, <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> wrote: 


Also don't most shared hosts use mod_php, not PHP/CGI?  What would be
the point of PHP via CGI?  mod_php works just fine. (As long as you
stay away from threads.)


security.

(sorry, this is off topic, but its a response)


shared hosts were all on mod_php for a while because thats what they  
thought they should do.  but a funny thing happend - they realized  
that mod_php lets user_a acces all of user_b's files -- because  
everything runs as the apache instance user and is read/writeable by  
it.  so most hosts started migrating to PHP/CGI via FasctCGI, so  
account holders can more easily run their scripts as a shell user.



under mod_php, unless you're running some pretty unstable other  
apache_mods, you're running every php script as that single webserver  
user - which is pretty unideal for a shared system from a security  
standpoint.



a few shared hosts give users the option of php4 mod_php or php5 cgi/ 
cgi to entice them to switch to a more secure framework without  
potentially breaking all of their apps (a few commands do not work)


if you're not in a shared hosting environment, then mod_php is fine.


but, if you are, some brazillian script kid can exploit a published  
vulnerability in phpGallery that another user on that machine has yet  
to patch, and use it to access/overwrite anything in your web  
directory.  fun.



a lot of design/production firms i know are abandoning mod_php  for  
cgi so that 1 client project runs completely separate of other client  
projects that they host.



its not a bad model security wise if you're running multiple projects  
on a single machine, and can be applied to mod_perl too.  on my main  
production server, i have things set up like this:


user: www
        runs lighttpd on port 80 as proxy / vanilla1 server
        runs apache-vanilla on port 8080 for general apache sites

user: wwwapp1
        runs php via lighttpd fcgi on its own directory root
user: wwwapp2

	runs mod_perl2 via apache2 on port 8081 bound to localhost for a  
specific code group

user:www app3

	runs mod_perl2 via apache2 on port 8082 bound to localhost for a  
specific code group


under this setup, my 3 webapps can't screw with each other's files.


i'm sure there's a more elegant way to do it -- but that was fast and  
painless for me to set up.





















					Reply via email to