[thelist] PHP Perl Apache security

Keith cache at dowebscentral.com
Tue Jul 22 01:07:42 CDT 2003

At 10:40 PM Monday 7/21/2003, you wrote:

>Honestly, perchild is stable enough -- if you don't use PHP. The
>threaded MPMs aren't great for PHP with some extensions enabled... some
>of the extensions aren't reentrant.

LOL! If my users don't use PHP then there's no need for any of this 
:)  SuExec takes care of Perl, so there's no need to have children of 
Apache running loose mutating into god knows what if PHP is not running. 
Thanks for the heads up on the threads problem! I've not seen that 
mentioned elsewhere.

The more we look at our solution B, the more we lean towards it. Currently 
users have to set a file to 666 for Perl/PHP to r-w and then keep Apache 
out of it with htaccess. With suExec, Perl needs 600 at minimum and the 
htaccess barricade to Apache is not needed. By allowing Apache (and module 
run PHP) to take permissions from group instead of world, PHP would need 
660 to write to the file, so once again the htaccess barricade would be 
needed to keep Apache out. So instructions to users would be quite simple, 
leave the default 644 on all files unless you write to them with Perl or 
PHP and want them private - then change permissions to 660 and for PHP 
continue to add an htaccess files deny directive. Viola, userB can no 
longer r-w data files that userA can r-w. And PHP is still running as an 
Apache module.


cache at dowebscentral.com

More information about the thelist mailing list