Re: Switching bugzilla suEXEC => mod_cgi
- From: Patrick Fey <inside nachtarbeiter net>
- To: Tobias Mueller <muelli auftrags-killer org>
- Cc: Owen Taylor <otaylor redhat com>, gnome-infrastructure gnome org
- Subject: Re: Switching bugzilla suEXEC => mod_cgi
- Date: Sat, 01 Aug 2009 13:16:03 +0200
-----BEGIN PGP SIGNED MESSAGE-----
On 01.08.2009 12:29, Tobias Mueller wrote:
>> With mod_perl we can't use a separate user/group to get isolation;
> This should work with the mpm-itk worker for Apache though:
> http://mpm-itk.sesse.net/. I run it with mod_wsgi as well as mod_php and
> it works quite well. I don't know about the performance impacts though,
> but I feel it's worth a try.
the risk of using this worker is, that your webserver will run as root
until the request is parsed and it knows what UID to use for the
request. A security hole in Apache might turn out to be a root security
hole. So you should be monitoring Apache security very carefully when
using this worker. Also, this might not be such a big problem for you,
if you're using it in a vm and have sufficient backups of your database
(and other files you depend on) at hand.
All that said, I was thinking of this worker, too, when I read Owens
original mail. I've been using it on a number of servers for some time
now and have had no problems with it so far. Compromised customer web
spaces due to security holes in PHP scripts are much more common. One
should be aware of this risk when using the worker, though.
Speaking of performance, if you decide to stay with fcgi you might want
to look at other web servers like Cherokee or nginx, which perform much,
much better than Apache (in terms of ram used per request).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
] [Thread Prev