Re: shared hosts and MP2 security

[prev] [thread] [next] [Date index for 2004/12/23]

Markus Wichitill wrote:
> Nick *** wrote:
> 
>> Let's assume that I have a web server with 50 virtual hosts. This web 
>> server is apache2 running as user nobody and has php installed. I've 
>> set php's OPEN_BASEDIR option for every VHost, so I can restrict the 
>> users' IO access outside their directories. Now I want to install MP2 
>> on the same server. I am setting a different interpreter pool for  
>> every VHost. And now how do I make sure that VHost1 user doesn't 
>> open($file, "<", "/www/VHost2/mysql_user_and_pass.pl").
> 
> 
> You basically can't.
> 
> What you really want is running different vhosts under different user 
> accounts, and that's what the Apache2-bundled perchild MPM was meant 
> for, but that was never finished. There's also the metux MPM project 
> which was meant to replace the perchild MPM, but that project seems to 
> be mostly dead, too. Which is a pity, since this means one less major 
> feature that might have made users switch to Apache2.

No fear, there is Metux MPM http://www.metux.de/mpm/en/ which should do 
the same and better. I haven't tried it myself, but it looks like this is 
what Nick wants to do and report back how did it go. I'd expect that 
modperl2's build will blow up, since it has no clue what metux MPM means.

Note that it's still in beta state:
http://www.metux.de/mpm/en/?patpage=status

        -- 
        __________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@xxxxxx.xxx http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html