httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leif W" <warp-...@usa.net>
Subject Re: UNIX MPMs [ot?]
Date Thu, 10 Feb 2005 14:10:24 GMT
> "Nick Kew" <nick@webthing.com>; 2005-02-10@08:11 GMT-5
>
> I agree the documentation should be better.  Also we should properly 
> document
> the perchild-like options, since that is frequently-requested.  In the
> meantime, here's a list of things to look at if you want 
> perchild-like:
>  * Metux MPM
>  * mod_ruid  (Linux only)
>  * fastcgi (CGI plus)
>  * suexec (for CGI)

Hi, sorry if this is off-topic, but I just want to make sure I 
understand this problem.  Last month I read an email on another list 
(suPHP) in which someone was upset about the security of Apache 2.0.x 
with all file i/o and cgi being done by a single user, and the perchild 
MPM being broken.  The frustration is that it is difficult, if not 
impossible (and potentially not even portable) to get all of these 
"workarounds" working together.  And the clinching belief is that these 
should all be handled in the core of Apache, or with a working MPM.

Here I post as complete a list I can think of including the new ones I 
see above.

* cgiwrap
* FastCGI
* Metux MPM
* mod_perl
* mod_php
* mod_ruid  (Linux only)
* suexec
* suphp

It's already a huge list of workaround and compatibility and portability 
for an admin could be a nightmare.  I do not know if there are even more 
security wrappers needed for other language modules.  Can anyone add to 
the list some things which might commonly be used in concert?  Is there 
any "direction" given from "the top" of the Apache group in regards to 
what gets attention?  In the message on the suPHP list, it is implied 
that there is in general a mentality that security is not a priority (at 
least regarding setuid per request as perchild MPM would like to do), 
only competing with MS/IIS.

I'm not implying anything, I don't know what to believe, so that's why I 
ask.  I'm just trying to understand where the breakdown is.  A feature 
that people want, the lack of which spawns a sloppy slew of incompatible 
workarounds, but no one around to respond and code it or fix what's 
available.  The strength of Apache was always *nix, so why abandon 
security on *nix for the sake of portability to Windows?  It's the 
natural impression given by first glance of the timeline of events, not 
an accusation.  Or is it just coincidence that someone (or many people) 
lost interest in perchild and there's been noone to pick up the slack, 
and other people just happened to want to increase portability to 
windows?

I mean, I like having a windows port, because I can at least practice 
using Apache somewhat, and it expands the development platform, but I 
won't ever, ever, EVER run it on Windows in production, simply because 
I'd never run Windows in production.  Except insofar as to show Windows 
users a shining example of free software, and offer the idea of using an 
entire OS filled with shining examples of free software engineering. 
;-)  Toungue in cheek of course, with the ugly little problems such as 
this code abandonment of vital features at the back of my mind.  I don't 
mean to start an OS flame war, so please don't respond with that in 
mind.  :-)  If other people would like to use Windows, it takes nothing 
away from me, I'm just stating opinion based on my own interaction and 
experience with Apache, Win, and *nix (Linux & FreeBSD).

Leif



Mime
View raw message