On Dec 22, 2005, at 11:44 PM, <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> wrote:

Also don't most shared hosts use mod_php, not PHP/CGI?  What would be
the point of PHP via CGI?  mod_php works just fine. (As long as you
stay away from threads.)

security.

(sorry, this is off topic, but its a response)

shared hosts were all on mod_php for a while because thats what they thought they should do. but a funny thing happend - they realized that mod_php lets user_a acces all of user_b's files -- because everything runs as the apache instance user and is read/writeable by it. so most hosts started migrating to PHP/CGI via FasctCGI, so account holders can more easily run their scripts as a shell user.

under mod_php, unless you're running some pretty unstable other apache_mods, you're running every php script as that single webserver user - which is pretty unideal for a shared system from a security standpoint.

a few shared hosts give users the option of php4 mod_php or php5 cgi/ cgi to entice them to switch to a more secure framework without potentially breaking all of their apps (a few commands do not work)

if you're not in a shared hosting environment, then mod_php is fine.

but, if you are, some brazillian script kid can exploit a published vulnerability in phpGallery that another user on that machine has yet to patch, and use it to access/overwrite anything in your web directory. fun.

a lot of design/production firms i know are abandoning mod_php for cgi so that 1 client project runs completely separate of other client projects that they host.

its not a bad model security wise if you're running multiple projects on a single machine, and can be applied to mod_perl too. on my main production server, i have things set up like this:

user: www
        runs lighttpd on port 80 as proxy / vanilla1 server
        runs apache-vanilla on port 8080 for general apache sites

user: wwwapp1
        runs php via lighttpd fcgi on its own directory root
user: wwwapp2
runs mod_perl2 via apache2 on port 8081 bound to localhost for a specific code group
user:www app3
runs mod_perl2 via apache2 on port 8082 bound to localhost for a specific code group

under this setup, my 3 webapps can't screw with each other's files.

i'm sure there's a more elegant way to do it -- but that was fast and painless for me to set up.

Reply via email to