httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: MPM-Module perchild
Date Mon, 23 Nov 2009 22:16:29 GMT
Graham Dumpleton wrote:

>> http://httpd.apache.org/docs/2.3/mod/mod_privileges.html (in future httpd 2.4)
> 
> FWIW, contrary to what is suggested by documentation for
> mod_privileges, I would anticipate that modules which embed a Python
> interpreter such as mod_python and mod_wsgi are not going to be
> compatible with at least SECURE mode of mod_privileges. This is
> because after a fork of a Python process special Python interpreter
> core function has to be called to do some fixups. This is fine if fork
> done from Python code as it will be done automatically, but not if
> done from external C code in same process. Not sure how well things
> will work if that fixup function isn't called.

That's entirely likely.  Fast mode is straightforward, but secure
mode is only sparsely tested, and could easily fall down when presented
with complex problems as you suggest.  In such a scenario we could
either fix it as you suggest (how does ITK deal with this?), or
bow out and recommend alternatives.

> BTW, what operating system feature does this use that means it is only
> usable on Solaris?

Is there another OS that supports solaris-style privileges?
One could envisage other modules to harness operating system
security - such as SElinux - but I don't think it would look
similar enough to abstract out a common API.

-- 
Nick Kew

Mime
View raw message