[kwlug-disc] Security arguments

Khalid Baheyeldin kb at 2bits.com
Tue Sep 22 15:02:05 EDT 2009


> One way in which Apache could improve is to make privilege separation
> easier. On a shared host, there is no reason why my insecure PHP
> scripts and your fully-patched Drupal installation should be running
> under the same user ID. But you see that sort of thing all the time.
>

Apache has that feature via suExec

http://httpd.apache.org/docs/2.0/suexec.html

If you are using static content, it is directly usable.

If you are using dynamic content, it prevents you from using mod_php, the
fastest way of running PHP. In practice, shared hosts force you to use CGI,
which is fine for low traffic site, but very inefficient if your site gets
even
a medium amount of traffic.

I see that fcgid (FastCGI support with process management) says it supports
SuExec too:

http://fastcgi.coremail.cn/configuration.htm

This is very promising since it addresses the scalability issue. I have yet
to try it
though.
-- 
Khalid M. Baheyeldin
2bits.com, Inc.
http://2bits.com
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://astoria.ccjclearline.com/pipermail/kwlug-disc_kwlug.org/attachments/20090922/4ca30a13/attachment-0001.html>


More information about the kwlug-disc_kwlug.org mailing list