"Nick Kew" <[EMAIL PROTECTED]>; [EMAIL PROTECTED]:11 GMT-5
I agree the documentation should be better. Also we should properly document
the perchild-like options, since that is frequently-requested. In the
meantime, here's a list of things to look at if you want perchild-like:
* Metux MPM
* mod_ruid (Linux only)
* fastcgi (CGI plus)
* suexec (for CGI)
Hi, sorry if this is off-topic, but I just want to make sure I understand this problem. Last month I read an email on another list (suPHP) in which someone was upset about the security of Apache 2.0.x with all file i/o and cgi being done by a single user, and the perchild MPM being broken. The frustration is that it is difficult, if not impossible (and potentially not even portable) to get all of these "workarounds" working together. And the clinching belief is that these should all be handled in the core of Apache, or with a working MPM.
Here I post as complete a list I can think of including the new ones I see above.
* cgiwrap * FastCGI * Metux MPM * mod_perl * mod_php * mod_ruid (Linux only) * suexec * suphp
It's already a huge list of workaround and compatibility and portability for an admin could be a nightmare. I do not know if there are even more security wrappers needed for other language modules. Can anyone add to the list some things which might commonly be used in concert? Is there any "direction" given from "the top" of the Apache group in regards to what gets attention? In the message on the suPHP list, it is implied that there is in general a mentality that security is not a priority (at least regarding setuid per request as perchild MPM would like to do), only competing with MS/IIS.
I'm not implying anything, I don't know what to believe, so that's why I ask. I'm just trying to understand where the breakdown is. A feature that people want, the lack of which spawns a sloppy slew of incompatible workarounds, but no one around to respond and code it or fix what's available. The strength of Apache was always *nix, so why abandon security on *nix for the sake of portability to Windows? It's the natural impression given by first glance of the timeline of events, not an accusation. Or is it just coincidence that someone (or many people) lost interest in perchild and there's been noone to pick up the slack, and other people just happened to want to increase portability to windows?
I mean, I like having a windows port, because I can at least practice using Apache somewhat, and it expands the development platform, but I won't ever, ever, EVER run it on Windows in production, simply because I'd never run Windows in production. Except insofar as to show Windows users a shining example of free software, and offer the idea of using an entire OS filled with shining examples of free software engineering. ;-) Toungue in cheek of course, with the ugly little problems such as this code abandonment of vital features at the back of my mind. I don't mean to start an OS flame war, so please don't respond with that in mind. :-) If other people would like to use Windows, it takes nothing away from me, I'm just stating opinion based on my own interaction and experience with Apache, Win, and *nix (Linux & FreeBSD).
Leif
