GREAT NEWS - The answer to suexec/Apache/PHP problems

T

thoroughfare

Verified User
Joined
Aug 11, 2003
Messages
575
For those despairing at the intrinsic lack of security in the current PHP/virtualhost/Apache setup, please see this:

http://www.telana.com/peruser.php

It's an MPM processsor for Apache, that spawns an Apache process for each virtualhost, as the user that you specify. It also supports chrooting and mod_ssl! It doesn't use threads (unlike the perchild MPM) so it safe to use for PHP.

The caveat is that it's a very young project with only one developer. It seems that it works quite well on most Linux systems, but it's causing Apache to segfault on my FreeBSD box.

I'm gonna post an installation how-to in a minute. Please bear in mind that THIS SOFTWARE IS EXPERIMENTAL, but please please do try it on your test boxes and send in patches, suggestions, etc.

This is a revolutionary MPM that solves a lot of security headaches... no need for safe_mode anymore ;)

Matt :D
 
Does this mean it would also work with the CLI version of PHP, not just the CGI version (like suPHP)?
 
It would mean that PHP would run as mod_php (just like normal DA install), as an Apache module. No CGI, no performance impact (except that process-per-virtualhost will never be as fast as say the worker or prefork MPM).

It just means that Apache will fork a new process under the user who owns the virtualhost.

There's more info on the mailinglist, see the link from that page.

HTH,
Matt :)
 
It's an MPM processor so it'll work with *any* Apache 2 installation, but as it's so new it probably needs tweaking for different OSes.

I've talked to the author and it seems it's working great for some people and not for others. The author is using it in production on his own web hosting company, but it's still very experimental.

I posted so that people could test this on their own development servers and perhaps help debug it on different OSes.

Many thanks,
Matt :)
 
possible for you to provide a how-to?

just notice, this application will eat up alot of resources?
 
Resource-wise it'll use more than the normal prefork MPM, but a lot less than say suPHP, fastcgi, etc. The security benefit greatly outweighs the small performance hit.

IMHO, having Apache run as one user for all customers is one of the worst things security-wise about shared hosting, and this MPM will be indeed, like a dream come true.

I'll provide a how-to soon on how to install for those interested in testing :)

Matt
 
Sorry about that I was busy setting up a new box, I'll do it tonight when I get in from a gig.

On the plus side, it'll be a lovely howto that patches customapache's build script so you barely have to do anything ;) I've written the patch just need to write the how-to.

Matt :)
 
Maybe now you have some time for "How-to" ? :) Because I'm waiting for it and want to test on one server... :) Thanks.
 
You must log in or register to reply here.
Back
Top