[webapps] PHP files owner

Jacek Konieczny jajcus at jajcus.net
Wed Jun 13 10:52:58 CEST 2007


On Wed, Jun 13, 2007 at 10:14:47AM +0200, Tomasz Pala wrote:
> It's not so safe - it's still the same user for every script, so if appX
> can read it's configuration file (with database password), then appY
> have access too (unless restricted by safe_mode or dozens of
> open_basedir).
> So one should run one FastCGI process for every system account to be
> secure, or there must be some SUID on the way (that's why I have written
> about suexec+PHP-f?CGI).

I was thinking about the process-per-uid solution. Or some facility to
start such processes on demand (it doesn't have to be SUID, it my run
with uid=0 and do not much more than fork() and setuid()).

> > FastCGI application (including PHP interpreter) may be running on 
> > a different account or even a different server then the web server
> [...]
> 
> Nice. Doesn't it brake eAccelerator/other optimizers?

I don't know those, so I cannot tell you.

> > Maybe PLD could prepare some framework for running PHP applications via
> > FastCGI under Apache?
> 
> apache-mod_fastcgi, apache-mod_fcgid or sth else? 

I was thinking about some infrastructure for webapps in PLD packages so
they could be run via fastcgi and not require mod_php. But this should
be flexible, so mod_php and servers other than Apache would work too...
that would mean complicated... and that could mean: not worth doing it.

> BTW description of
> the latter says: 'and kick out the corrupt fastcgi server as soon as
> possible'.

Sounds good... as with mod_fastcgi I have often encountered a problem
when fastcgi app crashed and Apache still tried to use it for a few
requests.

Greets,
        Jacek


More information about the pld-devel-en mailing list