Hello,

We are all concerning by the security with apache. As every body know the pbm is that an Apache process run under a uid/gid so your web document need to be readable by this uid or gid

Of course there is some solution to run Apache in a chrooted environment.

Apache worked on the perchild MPM to have Apache running under the owner of the script. But it has a lot of bug and Apache doesn't follow up this project.

A new project did appear, called metuxmpm. It works better than perchild but requires you to use multithreaded versions of PHP, Perl and Python (if you want to use mod_perl or mod_python). Between the three of them, and all the third party modules and libraries they link to, there can be a lot of non-threadsafe code involved. That can cause very nasty crashes that are very hard to reproduce.

So here come the peruser project http://www.telana.com/peruser.php
Check it out

I've done some test with it on a NON production box and it seems to work great

Only to give you this link, and let you know that it begins to have some working solutions to the good perchild idea

You might test it and let us know how it works for you

Pascal

Pascal,

I remember I googled the old "perchild" a long time ago and thought it was a perfect fit only to find that the project died out before I even found it.

I have a situation where the peruser would come in handy. The database isn't the best place to save large data files. I save them on the hard drive and just have the database for *pointing* to the location where the file is saved. The problem is that if someone could figure out the exact location of the file (b/c I think I could block directory list on the directories above where the files are saved) they could read the file using their own PHP script on a different account. I assign the files random filenames on the server to prevent this, but still is not 100%. If apache was using the peruser then only that account would have access to those files :D

Do I understand this correctly? The peruser is a mod of metuxmpm to have the same per user support in a non-multithreaded environment?

And since this is a module maybe Iworx can add this as an optional package that can be turned on and off in the new NodeWorx Apache interface?

Do I understand this correctly? The peruser is a mod of metuxmpm to have the same per user support in a non-multithreaded environment?


You absolutly right


And since this is a module maybe Iworx can add this as an optional package that can be turned on and off in the new NodeWorx Apache interface?


héhé...... one time again you absolutly right. After this you just have to change some data in /home/interworx/etc/vhost.......conf template file to add per vhost basis the data needs by peruser.
But the patch is for 2.0.52 and not for 2.0.54, and you have to recompile your httpd.

To be frank I didn't test it on a production Box with huge vhost, so I can't say if it works great in this case and how are the performance. But apparently the developer use it for his production box.

I've registered to the mailing list to see what kind of pbm this mod is running out.

Pascal