[kwlug-disc] Security arguments
Khalid Baheyeldin
kb at 2bits.com
Tue Sep 22 15:02:05 EDT 2009
> One way in which Apache could improve is to make privilege separation
> easier. On a shared host, there is no reason why my insecure PHP
> scripts and your fully-patched Drupal installation should be running
> under the same user ID. But you see that sort of thing all the time.
>
Apache has that feature via suExec
http://httpd.apache.org/docs/2.0/suexec.html
If you are using static content, it is directly usable.
If you are using dynamic content, it prevents you from using mod_php, the
fastest way of running PHP. In practice, shared hosts force you to use CGI,
which is fine for low traffic site, but very inefficient if your site gets
even
a medium amount of traffic.
I see that fcgid (FastCGI support with process management) says it supports
SuExec too:
http://fastcgi.coremail.cn/configuration.htm
This is very promising since it addresses the scalability issue. I have yet
to try it
though.
--
Khalid M. Baheyeldin
2bits.com, Inc.
http://2bits.com
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20090922/4ca30a13/attachment.htm>
More information about the kwlug-disc
mailing list