[thelist] PHP Perl Apache security
Keith
cache at dowebscentral.com
Tue Jul 22 01:07:42 CDT 2003
At 10:40 PM Monday 7/21/2003, you wrote:
>Honestly, perchild is stable enough -- if you don't use PHP. The
>threaded MPMs aren't great for PHP with some extensions enabled... some
>of the extensions aren't reentrant.
LOL! If my users don't use PHP then there's no need for any of this
:) SuExec takes care of Perl, so there's no need to have children of
Apache running loose mutating into god knows what if PHP is not running.
Thanks for the heads up on the threads problem! I've not seen that
mentioned elsewhere.
The more we look at our solution B, the more we lean towards it. Currently
users have to set a file to 666 for Perl/PHP to r-w and then keep Apache
out of it with htaccess. With suExec, Perl needs 600 at minimum and the
htaccess barricade to Apache is not needed. By allowing Apache (and module
run PHP) to take permissions from group instead of world, PHP would need
660 to write to the file, so once again the htaccess barricade would be
needed to keep Apache out. So instructions to users would be quite simple,
leave the default 644 on all files unless you write to them with Perl or
PHP and want them private - then change permissions to 660 and for PHP
continue to add an htaccess files deny directive. Viola, userB can no
longer r-w data files that userA can r-w. And PHP is still running as an
Apache module.
Cheers!
Keith
====================
cache at dowebscentral.com
More information about the thelist
mailing list