[webapps] PHP files owner

Patryk Zawadzki patrys at pld-linux.org
Wed Jun 13 10:46:29 CEST 2007


On 6/13/07, Tomasz Pala <gotar at polanet.pl> wrote:
> On Wed, Jun 13, 2007 at 09:19:10AM +0200, Jacek Konieczny wrote:
> > There is also another one, safe and easy solution: PHP running as
> > FastCGI, external to the web server.
> It's not so safe - it's still the same user for every script, so if appX
> can read it's configuration file (with database password), then appY
> have access too (unless restricted by safe_mode or dozens of
> open_basedir).

No. FCGI is based on the concept of applications, not scripts. Each
application (think domain) has its own FCGI daemon running and
handling requests. If domain foo dies, bar is supposed to work

> So one should run one FastCGI process for every system account to be
> secure, or there must be some SUID on the way (that's why I have written
> about suexec+PHP-f?CGI).

You are supposed to run one process per application.

> > FastCGI application (including PHP interpreter) may be running on
> > a different account or even a different server then the web server
> Nice. Doesn't it brake eAccelerator/other optimizers?

These are run by php, not apache.

> > IMHO the Apache's modules approach (mod_php, mod_python, mod_perl) is
> > broken by design (interpreter built into the server process cannot be
> > made multiuser and safe) and suexec and similar are only workarounds for
> > CGI limitations.
> Unfortunatelly, that's right...

+1

-- 
Patryk Zawadzki
Generated Content


More information about the pld-devel-en mailing list