i've read the [EMAIL PROTECTED] archive (mainly the "security
suggestion" thread in nov 2000). it seems that quite a few people
(including me, recently) want to install mod_perl. usually they need
mod_perl because they want to write apache modules in perl instead of c
(including me; i really hate writing c code). for example, i'm
contemplating on writing a custom log handler; previously i'm doing
custom logging via piped logs, but i think i want to move this inside
the apache process.
unfortunately, these people are unable to do so because mod_perl would
expose the server internals to normal users. i glanced at the mod_perl
1.27 source code and saw that many perl commands are still set at OR_ALL
(allowed in .htaccess). for example: PerlHandler, PerlRequire,
PerlSetEnv, etc. in an ISP/shared webhosting environment this is
unacceptable. in general they want cgi execution to be wrapped and
users not having access to mod_perl at all via .htaccess. heck, i don't
even want users to *be aware* that mod_perl is there. i want mod_perl to
be available just for *me* (the webhost/isp admin). no Apache::Registry
for them, no Perl*Handler, no nothing; since all of them are "unsafe".
so i'm proposing an ISP_MODE/WEBHOST_MODE/ADMIN_MODE (or whatever)
configure option that if enabled will make most (all?) of the OR_ALL to
RSRC_CONF. i will probably be producing a patch for our own needs
internally.
--
dave
