[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible release note for systems running PHP through CGI.

On Sun, 19 Aug 2012, Marco d'Itri wrote:
> On Aug 19, Charles Plessy <plessy@debian.org> wrote:
> >  - PHP scripts can be executed by Apache httpd through libapache2-mod-php5 or
> >    php5-cgi.  Debian recommends libapache2-mod-php5, but there are still
> This is another issue which concerns me, since mod_php forces the use of 
> preforking apache, which means that the server will either stop serving 
> pages or OOM at the first hint of real traffic.
> (And obviously mod_php is wildly insecure for multitenants servers.)

You need php-cgi with something like fcgid to have it properly isolate
several web applications and still be somewhat scalable.  mod-php is
just a toy in its current state, good enough to run stuff at home as
long as it is restricted to localhost...

> >    thousands of installations wich report the use of php5-cgi according to the
> >    Popularity Contest statistics.
> Yes, because sensible people who need PHP will try to use it as 
> CGI/FastCGI (or FPM, finally in wheezy).


> I am also concerned that a *simple* solution to restore the old 
> behaviour in a secure way is not provided: maybe php5-cgi should install 
> a sensible default configuration in /etc/apache2/conf.d/ ?

That, and leave mime.types alone.  If the problem is caused by mod-php
under apache, any "simple solution" should be biased towards breaking
mod-php under apache, not everything else.  A good solution would not
break anything.

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: