Return-Path: 
 <users-return-101510-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-users-archive@www.apache.org
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id C614C9426
	for <apmail-httpd-users-archive@www.apache.org>;
 Thu, 27 Oct 2011 20:32:28 +0000 (UTC)
Received: (qmail 14088 invoked by uid 500); 27 Oct 2011 20:32:25 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 14059 invoked by uid 500); 27 Oct 2011 20:32:25 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 14050 invoked by uid 99); 27 Oct 2011 20:32:25 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Oct 2011 20:32:25 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of jeanluc@nmt.edu designates
 129.138.4.52 as permitted sender)
Received: from [129.138.4.52] (HELO mailhost.nmt.edu) (129.138.4.52)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Oct 2011 20:32:18 +0000
Received: from localhost (spamhost4 [129.138.4.146])
	by localhost.localdomain (Postfix) with ESMTP id D186724EDFF
	for <users@httpd.apache.org>; Thu, 27 Oct 2011 14:31:56 -0600 (MDT)
X-Virus-Scanned: by amavisd-new-2.6.4 (20090625) (RHEL AS) at nmt.edu
Received: from mailhost.nmt.edu ([129.138.4.52])
	by localhost (spamhost6.nmt.edu [129.138.4.146]) (amavisd-new, port 10024)
	with ESMTP id s6tmMVWcCJEi for <users@httpd.apache.org>;
	Thu, 27 Oct 2011 14:31:54 -0600 (MDT)
Received: from gta-iv.tcct.nmt.edu (gta-iv.tcct.nmt.edu [129.138.3.24])
	by mailhost.nmt.edu (Postfix) with ESMTP id ACB4124EDD7
	for <users@httpd.apache.org>; Thu, 27 Oct 2011 14:31:54 -0600 (MDT)
Message-ID: <4EA9BFBA.7020801@nmt.edu>
Date: Thu, 27 Oct 2011 14:31:54 -0600
From: "Jesse B. Crawford" <jeanluc@nmt.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:7.0.1) Gecko/20110930 Thunderbird/7.0.1
MIME-Version: 1.0
To: users@httpd.apache.org
References: <4EA72509.9040109@nmt.edu>
 <CAM_L6Z9YEYZVciZgNWz=Dy0QWspJm5zA7H4ONKh60LcLpC_8iQ@mail.gmail.com>
 <4EA89F01.7060201@nmt.edu>
 <CAJ3SLkbTx_ZWZC5yA_OSE2P3a12JYhXphiNSZ_uJdH+3By0HRA@mail.gmail.com>
 <CAGBAQ46k63qHOPwRksw+uF83Y9ktnUQzfCKi5=ax11hrVUGBEg@mail.gmail.com>
In-Reply-To: 
 <CAGBAQ46k63qHOPwRksw+uF83Y9ktnUQzfCKi5=ax11hrVUGBEg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: Re: [users@httpd] best practice: suexec with PHP5 in a
 many-user/non-technical-user
 environment

On 10/26/2011 07:58 PM, Yehuda Katz wrote:
> On Wed, Oct 26, 2011 at 9:49 PM, Alexandr Normuradov
> <normalex@gmail.com <mailto:normalex@gmail.com>> wrote:
>
>     Use MPM ITK.
>     Solves security, memory and speed problems.
>     Tested in production, very good alternative for environments when
>     users are not very savvy and not require custom php.ini
>
>
> I use ITK with great results, but it needs to be configured for every
> virtual host individually.
> I believe the original poster is looking for a solution that will work
> with ~userdirs.
>
> I should add that I do not know of any universities that allow
> students to run arbitrary code on the primary servers.
> At the University of Maryland, you can not run ANY code on the users
> server <http://terpconnect.umd.edu> (they used to allow SSI, but that
> is gone now too) and many departments require an internal audit of
> your application before they will let it run on their servers.

Perhaps we are strange in this regard, we attempt to support all CGI
applications. That we don't have much trouble with this is probably
purely a consequence of being a small school such that our staff can
still watch all systems very carefully.

MPM-ITK does look problematic because of the per-vhost configuration. At
this point I am thinking suphp is the best solution. Does anyone have
any experience with this extension? The documentation makes it sound
like suPHP and suExec at the same time will work just fine, and it looks
like it can be fairly easily configured for a userdir environment.

Thanks for the input!

-- 
Jesse B. Crawford (jeanluc)
Systems Programmer
Tech Computer Center
New Mexico Inst. of Mining & Tech.

jeanluc@nmt.edu // http://nmt.edu/~jeanluc


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org