On Wed, 15 Aug 2001, Philip Mak wrote:

> When I have multiple virtual hosts running Apache::ASP (mod_perl), do they
> need to run their own instance of Apache?
>
> I've read through http://perl.apache.org/guide/multiuser.html and this is
> what I've gathered:
>
> 1. A hacker with access to a virtual host on a mod_perl Apache can steal
> the Apache::DBI database handles of the other virtual hosts on that
> Apache. suexec/cgiwrap won't work in mod_perl.

this is true for anything that can be snooped. Apache::DBI is just an
example. You don't even have to snoop, you have to run under the same
uid/gid, which means you can just read the source code.

> 2. Scripts from one virtual host can call a script with the same path from
> the other virtual host. Setting $Apache::Registry::NameWithVirtualHost to
> 1 in startup.pl gets around this problem.
>
> So, it sounds like if I set $Apache::Registry::NameWithVirtualHost to 1,
> and the webmasters of the different virtual hosts trust each other, then
> it is safe to put them on the same Apache?

yes.


_____________________________________________________________________
Stas Bekman              JAm_pH     --   Just Another mod_perl Hacker
http://stason.org/       mod_perl Guide  http://perl.apache.org/guide
mailto:[EMAIL PROTECTED]   http://localhost/      http://eXtropia.com/
http://singlesheaven.com http://perl.apache.org http://perlmonth.com/


Reply via email to