Re: alternatives to suexec in etch apache2

To: debian debian-isp <debian-isp@lists.debian.org>
Subject: Re: alternatives to suexec in etch apache2
From: Craig Sanders <cas@taz.net.au>
Date: Sun, 17 Feb 2008 11:20:07 +1100
Message-id: <20080217002007.GB8869@taz.net.au>
In-reply-to: <47B727CF.4040308@thecsl.org>
References: <47B727CF.4040308@thecsl.org>

On Sat, Feb 16, 2008 at 01:13:35PM -0500, Dan MacNeil wrote:
> Under sarge, woody & potato we ran modified version of suexec that 
> skipped the check for group writable cgi files.

i've never liked suexec.  it's way to rigid and unconfigurable.  and,
unfortunately, the way it expects vhosts to be set up (esp. directory
layout) is completely unlike the way i set mine up.

i used cgiwrap for a long while, it's far more flexible.

> The problem is that unless the uidID the web server runs as is also a 
> login account
>
> Is there a more elegant way to do this under etch ?
>
> The goal is the have cgi scripts that can be group writable
>
> suPhp is about perfect if it worked w/ cgi-bin/*.pl

then i discovered apache2-mpm-itk (last year, i think). it's what i use
now.

it works just like apache2-mpm-prefork except that each virtual
host runs under it's own UID.

works well with normal cgi, php, and libapache2-mod-speedycgi. probably
works with mod_perl too but i don't use that, i don't like using
mod_perl for vhosts. speedy-cgi-perl aka persistent-perl gives me
most of the benefits of mod_perl without the security risk of giving
unfettered access to the apache server (in fact, the mod_perl stuff that
speedy-cgi doesn't give me are precisely the things i don't want vhosts
doing - RW access to apache internals - so there's no loss).  and it
works well with HTML::Mason.

the debian package generally lags behind the other apache2 MPM
packages by a few days, so it's a good idea to Hold this package
after installation so it doesn't get uninstalled and replaced by
apache2-mpm-prefork. of course, this is only relevant if you're tracking
testing or unstable.

Package: apache2-mpm-itk
Priority: extra
Section: net
Installed-Size: 488
Maintainer: Steinar H. Gunderson <sesse@debian.org>
Architecture: amd64
Source: apache2-mpm-itk (2.2.6-01-1)
Version: 2.2.6-01-1+b1
Provides: apache2, apache2-mpm, httpd, httpd-cgi
Depends: apache2.2-common (= 2.2.8-1), libapr1, libaprutil1, libc6 (>= 2.7-1), libpcre3 (>= 7.4)
Conflicts: apache2-common, apache2-mpm
Filename: pool/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-01-1+b1_amd64.deb
Size: 191032
Description: multiuser MPM for Apache 2.2
 The ITK Multi-Processing Module (MPM) works in about the same way as the
 classical "prefork" module (that is, without threads), except that it allows
 you to constrain each individual vhost to a particular system user. This
 allows you to run several different web sites on a single server without
 worrying that they will be able to read each others' files.
 .
 Please note that this MPM is highly experimental, and is not from the same
 tree as the other MPMs.

craig

-- 
craig sanders <cas@taz.net.au>

Jesus -- The other white meat!

Reply to:

Follow-Ups:
- Re: alternatives to suexec in etch apache2
  - From: Thomas Goirand <thomas@goirand.fr>
- Re: alternatives to suexec in etch apache2
  - From: Marc Haber <mh+debian-isp@zugschlus.de>
- Re: alternatives to suexec in etch apache2
  - From: Dan MacNeil <dan@thecsl.org>
- Re: alternatives to suexec in etch apache2
  - From: Kris Deugau <kdeugau@vianet.ca>

References:
- alternatives to suexec in etch apache2
  - From: Dan MacNeil <dan@thecsl.org>

Prev by Date: Re: [OT] Recommendation for small Switch
Next by Date: Re: alternatives to suexec in etch apache2
Previous by thread: alternatives to suexec in etch apache2
Next by thread: Re: alternatives to suexec in etch apache2
Index(es):
- Date
- Thread