This is something I asked before, like one or two years ago. I just want to see if a solution has come up since then.
The problem is that with the normal (linux-distro) installation of apache and mod_perl, all processes for all active scripting (cgi, perl, PHP..) run as the same user. Thus, if I run a mod_perl app which keeps a data repository in a file, then that file need to grant write permissions to the web user. If there are untrusted users with access to PHP on the system, then this becomes a problem, since they could easily overwrite that file with a simple script.
One may ask why untrusted users should have access to PHP, but this is often the case with student servers in academics, specifically in computer science.
The question is, what is the state-of-the-art approach for protecting data written to a file by mod_perl from being overwritten by an untrusted user? Is it possible to run all mod_perl things as a separate user (without having to keep two parallel apache installations)?
That would be possible with mod_perl 2.0, when Apache releases the perchild mpm. Since at this moment nobody seems to be interesting in finishing it off, I can't tell you when it's going to be available. If you have tuits to complete it (there is a working prototype) email the httpd-dev list. Alternatively you may want to sponsor one of the developers to do the work.
For more information see: http://httpd.apache.org/docs-2.0/mod/perchild.html
__________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
