This is something I asked before, like one or two years ago. I just want to see if a solution has come up since then.
The problem is that with the normal (linux-distro) installation of apache and mod_perl, all processes for all active scripting (cgi, perl, PHP..) run as the same user. Thus, if I run a mod_perl app which keeps a data repository in a file, then that file need to grant write permissions to the web user. If there are untrusted users with access to PHP on the system, then this becomes a problem, since they could easily overwrite that file with a simple script. One may ask why untrusted users should have access to PHP, but this is often the case with student servers in academics, specifically in computer science. The question is, what is the state-of-the-art approach for protecting data written to a file by mod_perl from being overwritten by an untrusted user? Is it possible to run all mod_perl things as a separate user (without having to keep two parallel apache installations)? // Joel
