httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steinar H. Gunderson" <>
Subject Re: Inclusion of mpm-itk into HEAD
Date Mon, 25 Jun 2007 10:16:56 GMT
On Mon, Jun 25, 2007 at 08:08:03PM +1000, Graham Dumpleton wrote:
> Or you can use PHP under fastcgi. With fastcgi the code would run in a
> separate process and you could have any number of processes
> corresponding to whatever virtual hosts you have. Because it is a
> separate process it can run from the outset as whatever user you want
> thus avoiding any danger points where code would be run as root.

Yes, it is obviously an alternative, but FastCGI has its own sets of quirks,
and PHP under CGI too (as far as I know; I'm no PHP user). Also, it won't
help you for anything that runs as a module; say, mod_dav_svn or mod_perl.

Various solutions to this problem have different tradeoffs -- among them
performance, security, complexity and applicability to different scenarios.
What mpm-itk gives you is a very simple solution that's one line per vhost
and works with a _lot_ of different use cases out of the box; I believe that
has a value in itself. Of course, I'd very much prefer a "real" perchild that
setuids before accepting the connection and then does connection passing, but
we're now several years (and at least SoC project) since the release of
Apache 2.0, and it doesn't really seem to be appearing anytime soon.

>> Doesn't mod_python load these up-front, so they'd be available before the
>> fork?
> No. The only thing which is done before the fork is the initialisation
> of the Python interpreter. It isn't safe to do anything more than that
> as the parent process runs as root.

OK, then performance will suffer in this scenario.

/* Steinar */

View raw message