On Wed, 27 Sep 2000, Matthew Byng-Maddick wrote:
> > We all have to do our part to evangelize mod_perl more. I think ISPs are
> > really key here as I think I may have mentioned before. If you get the ISPs
Actually I think the people we need to get involved are the web site
builders - the larger companies offering dynamic web content creation. We
also need some more mainstream tools, the oft-requested "Zope-a-like" in
Perl. And it needs to be trivial to install (I'm not sure how likely that
is to be yet).
> > advertise support for mod_perl? How many without charging like US$100 more
> > a month on top of the normal account fees?
>
> This is difficult, due to the security issues. If you have client cgi, you
> can always use something like suEXEC or even something as complex as userv
> to run your cgi scripts. With mod_perl, the plugged in scripts can do
> anything that the webserver can, and you can (by writing a module that
> doesn't compile) break the entire webserver.
>
> > PHP comes with a lot of ISP accounts for free with no extra cost. Java does
> > not yet, but I've started seeing ISPs starting to support Java in the low
> > end shared server accounts...
>
> Wow. I'm surprised, for the security reasons I've outlined above. But then
> I don't know much about PHP, really.
PHP can runs as a normal CGI, using suExec. So it's like advertising Perl
support.
What would help mod_perl is a working sandboxing system, based on Safe and
SafeHole. I've advocated that idea before, but still don't have the time
to go and build it. With that sort of system, and ISP could easily trap or
prevent whatever they need to, and we could work with them to build up
secure proffessional installations.
However, I'm honestly not sure if the whole of mod_perl is "right" for the
majority of small fee ISP's. What the ISP's need is perhaps one of the
mod_perl modules, like Mason, Embperl or AxKit, or something like
that. Rather than letting users write PerlInitHandlers! Unfortunately I
have no idea how you might secure one of these modules, even though one is
my own.
--
<Matt/>
Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org | AxKit: http://axkit.org
