httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <c...@force-elite.com>
Subject Re: User/group security without CGI (SuEXEC)
Date Mon, 05 May 2008 18:29:48 GMT
Jille Timmermans wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello hackers!
> 
> I was thinking of creating a more secure environment for running
> webscripts (mod_php in my case),
> I want to run php scripts as their owner.
> 
> I tought of the following scheme's:
> http://junk.quis.cx/fViKmLRi/apache-user-scheme-p1.png
> http://junk.quis.cx/bPkxwAbI/apache-user-scheme-p2.png
> .....

The image in p2, is roughly what the 'perchild' MPM tried to do.

Its all feasible, its mostly a question of having a willing developr to 
iron out all of the bugs on perchild or start with a new code base.

....
> How do you think about this idea ?
> It does decrease the performance a bit (Workers should parse the
> request, put it in some shm, Executive should pick it up from the shm
> and really run the php-script (See the links above for the terms Worker
> and Executive)
> But if the option is not specified it is possible to do it 'the old way'.
> Would it be possible to implement this as an MPM, or MOD ?

Yes, it should be possible to do this in an MPM.

Not to discourage you, but this is a hard problem, and many hours have 
been spent on it before without much resulting, but I would welcome 
someone who wants to do it :-)

-Paul



Mime
View raw message