httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: mpm-itk and upstream Apache, once again
Date Thu, 19 Jul 2012 15:27:04 GMT
On Thu, Jul 19, 2012 at 10:17 AM, Steinar H. Gunderson
<sgunderson@bigfoot.com> wrote:
> Hi,
>
> I've asked previously on this list about inclusion of mpm-itk
> (http://mpm-itk.sesse.net/) into upstream Apache; previously, the requests
> have died down, mostly over discussions on security (mpm-itk does
> configuration and request parsing as uid 0, although with very limited
> capabilities) and arguments along the lines of “there is no need”,
> e.g. various people I've talked to feel that there are other adequate
> solutions for the problem, including suexec, multiple Apache instances with
> reverse proxying, or some GSoC project.
> (http://wiki.apache.org/httpd/PrivilegeSeparation even claims you can
> keep administrators from reading each others' sites simply by setting
> setting chmod 0640, completely ignoring the case where you can run PHP code
> or CGI scripts!)
>
> However, since then mod_privileges have entered Apache trunk, which gives
> similar functionality (contradicting the arguments about “no need”), is very
> similar in terms of security model (contradicting the arguments about “the
> model is too insecure”), but is Solaris-specific, has less functionality (it
> lacks per-vhost nicing and per-vhost client limits), and generally seems to
> be less mature (e.g., as far as I can see, it fails to adequately handle the
> case where the client goes to a different-uid vhost and .htaccess thus is
> not readable).
>
> Furthermore, Fedora has recently accepted the mpm-itk patch into their Apache
> packages. This means that nearly every major distributor of Apache now
> supports mpm-itk; in particular, Arch, Debian, Fedora, FreeBSD ports, Gentoo,
> Mandriva, openSUSE and Ubuntu all include mpm-itk. I do not know of any
> module with a similar status, and having them all integrate the patch
> separately instead of simply having it in mainline seems wasteful.
>
> mpm-itk has, despite its non-mainline status, been in production in large
> sites for many years (it has been under development since 2005), and should
> at this point be considered mature. What would be needed to get it into mainline?

I personally don't want to think about getting mpm-itk into mainline,
but I am interested in the following, which is largely a prerequisite
to what you requested:

What changes are needed to httpd trunk so that you can build mpm-itk
with apxs and enable it via LoadModule, such that mpm-itk is fully
functional?  As I'm sure you're aware, prefork, worker, and event are
all untied from core enough to support that in httpd >= 2.4.

>
> /* Steinar */
> --
> Homepage: http://www.sesse.net/
>



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message