On Fri, 2014-12-05 at 03:47 +0100, Enrico Weigelt, metux IT consult wrote: > No, it's not, and it's pretty cheap, if done right. Yes it definitely is, because simply by having gazillions of different users on the same host, you increase the chance that someone is doing something stupid, which can be exploited. And I explicitly didn't talk about what's "cheap", but if you count on security, you probably shouldn't look at the money. > IIRC at that time they've been using cgiexec. I just don't recall > why they didn't use my muxmpm. (maybe because apache upstream was > too lazy to pick it up, even though it had been shipped by several > large distros). Is that merged upstream in the meantime or currently shipped in any major distro? Admittedly I haven't had heard about it before. > It adds additional complexity, especially when you're going to manage > a _large_ number (several k) of users per box. Security is of course never easy. > In such scenarios > you wanna be careful about system resources like sockets, fds, etc. I wouldn't see how this is different with other solutions. Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature