Re: user privileges with php (like with suexec)

[Eric Jennings <ericj@loopshot.com>]

Probably not.  If you're not using the CGI version of PHP, then you 
have to use the module version, and thus PHP will be joined at the 
hip with the Apache daemons and you're stuck w/ the user/group that 
Apache is running under.

As you mentioned, the CGI version of PHP does not have this problem, 
but it has its own performance issues (forking new processes, etc.).

You might look into the php.ini file that comes with PHP.  The PHP 
authors have added a lot of security options that you might find 
useful.  Among these are options like disabling any number of PHP 
built-in functions, memory limits on running scripts, processor time 
limits on running scripts, etc.

Unfortunately, the user/group issue with the module version of PHP is 
not easily solveable.

Eric Jennings
Loopshot, LLC


> I am wondering what is the best way to get simular results to suexec
> with php?
>
> I've heard of people running seperate instances of apache for each
> client.  Is that likely to be a messy solution?  how much overhead would
> each instance be?
>
> The other solution is to use the CGI version of php and use suexec.  I
> still don't think this is as nice as just using the the php module.
>
> Have I missed any solutions?
>
> Although I'm reluctant to hack any code that would be running as root,
> would it be possible to hack php to pass pages to child proceses owned
> by the same user as the php file and if none exist create one?
>
> Thanks,
>
> --
> Jeremy Lunn
> Melbourne, Australia
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org