[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: jessie release goals

On 05/06/2013 09:15 PM, Christoph Anton Mitterer wrote:
> Hey.
> I would like to see the following with respect to PHP and all packages
> using PHP:
> 1) We should try to educate users not to use mod_php. From a security
> POV it's rather problematic, as it runs in server context. And for
> people really needing the performance, FPM should be an equally good
> solution.
There's not only FPM as a solution. I maintain SBOX to do chroot, and
I use it together with aufs to maintain chroot templates. I also currently
maintain my own version of Apache with a patch to backport the
AllowOverrideList feature of Apache 2.4 in the (old)stable Debian, so
that a hacker can't write in a .htaccess to hook the Options / AddHandler
thing and by-pass my cgi-wrapper.

So yeah, maintainers shouldn't assume mod_php. But please do not
assume FPM either!

By the way, using FPM + SBOX should be a quite nice thing, which I need
to investigate.


Reply to: