Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 29041 invoked from network); 8 Apr 2009 03:07:57 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 8 Apr 2009 03:07:57 -0000 Received: (qmail 53001 invoked by uid 500); 8 Apr 2009 03:07:55 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 52916 invoked by uid 500); 8 Apr 2009 03:07:55 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 52907 invoked by uid 99); 8 Apr 2009 03:07:55 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Apr 2009 03:07:55 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of kaigai@ak.jp.nec.com designates 202.32.8.193 as permitted sender) Received: from [202.32.8.193] (HELO tyo201.gate.nec.co.jp) (202.32.8.193) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Apr 2009 03:07:48 +0000 Received: from mailgate3.nec.co.jp ([10.7.69.162]) by tyo201.gate.nec.co.jp (8.13.8/8.13.4) with ESMTP id n3837RGs013988 for ; Wed, 8 Apr 2009 12:07:27 +0900 (JST) Received: (from root@localhost) by mailgate3.nec.co.jp (8.11.7/3.7W-MAILGATE-NEC) id n3837Rp29319 for dev@httpd.apache.org; Wed, 8 Apr 2009 12:07:27 +0900 (JST) Received: from mailsv.linux.bs1.fc.nec.co.jp (mailsv.linux.bs1.fc.nec.co.jp [10.34.125.2]) by mailsv.nec.co.jp (8.13.8/8.13.4) with ESMTP id n3837QjI013407 for ; Wed, 8 Apr 2009 12:07:26 +0900 (JST) Received: from [10.19.71.82] (unknown [10.19.71.82]) by mailsv.linux.bs1.fc.nec.co.jp (Postfix) with ESMTP id A6ACBE482A3 for ; Wed, 8 Apr 2009 12:07:26 +0900 (JST) Message-ID: <49DC14EE.7090209@ak.jp.nec.com> Date: Wed, 08 Apr 2009 12:07:26 +0900 From: KaiGai Kohei User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: [RFC] A new hook: invoke_handler and web-application security References: <49DC002C.8080600@ak.jp.nec.com> <88e286470904071846n5f00a410mba31c8bb80e383cf@mail.gmail.com> <49DC09CA.40403@ak.jp.nec.com> <88e286470904071927o45b10e38o3b74af160bddda37@mail.gmail.com> In-Reply-To: <88e286470904071927o45b10e38o3b74af160bddda37@mail.gmail.com> Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Graham Dumpleton wrote: > 2009/4/8 KaiGai Kohei : >> Graham Dumpleton wrote: >>> Explain first why using FASTCGI and suexec wouldn't be a better option? >> Thease are limited to cgi applications, so we cannot apply such kind >> of restriction on the built-in script languages and references on >> static documents (like *.html). > > FASTCGI is not restricted to CGI applications. At least in the sense > that FASTCGI allows persistent processes rather than one off processes > like CGI. FASTCGI bindings are available for many different languages, > including scripting languages, so what 'built-in script languages' are > you talking about? The suexec mechanism comes into play as it allows > FASTCGI processes to run as a different user than Apache process. Hmm... I'll try to search for more details of features of FastCGI. If you have a hint, could you tell for the questions currently I have? IIRC, the CGI version of PHP cannot handle applications which write out special HTTP headers, such as WWW-Authenticate: or Location:. Is it possible to handle correctly in FastCGI? I could not find FastCGI support for WebDav. Is it possible to control accesses on files using SELinux? Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei