[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Theo Zourzouvillys wrote: > On Wednesday 19 July 2006 20:42, James Fidell wrote: >> Ahh, well, on the systems I look after that do shared hosting and >> mod_php I have also modified Apache somewhat so that all scripts, >> whether PHP, perl or whatever, run as the site-owner, even where they >> are executed within Apache itself (as with mod_php), or using fastcgi or >> suexec, along with a few other "modifications". > > suexec is fine - however it's currently impossible to get apache to switch to > the site owner to execute within apache itself (i.e, using mod_php) and then > switch back [1] (although you could just exit the child process, but that's > almost as bad). this is a limitation of UNIX security design rather than > linux itself. You can't switch back without introducing a security risk, as you say, though I know of people using code that does so. The idea of leaving any potential hole through which one user might get privileges for another horrifies me. > Aapche can launch different threads/processes for different users - but try > that on large scale. Well, the current system is working without pain for in excess of five million hits per day and many thousands of users. Not enormous, but still fairly large. It's not as lightweight as might be desirable though, I'd have to admit. > i have worked for 3 different companies running from 5k to 200k+ virtual > hosts, none of them suffering a single security incident in their history - > so don't worry, it *can* be done :) > > methods can also be put in place to make changes not effect end users - > although you will always have a few problems. Oh, I know it *can* be done, it's just in this case, budget and manpower dictated that changing the ways people were using the existing (highly insecure) system wasn't feasible. > it all boils down to the cost of support vs how much you loose in way of > hacked machines + face value of hacked machines. if you loose no face value > (read: can cover it up) and it doesn't cost too much to fix them in way of > loosing customers and amdinistration time, then rules of business dictate > it's not worth spending 10k on fixing the problem ;) Quite so. James -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html