FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian ISP

 
 
LinkBack Thread Tools
 
Old 02-16-2008, 05:13 PM
Dan MacNeil
 
Default alternatives to suexec in etch apache2

Under sarge, woody & potato we ran modified version of suexec
that skipped the check for group writable cgi files.


The problem is that unless the uidID the web server runs as is
also a login account


Is there a more elegant way to do this under etch ?

The goal is the have cgi scripts that can be group writable

suPhp is about perfect if it worked w/ cgi-bin/*.pl


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-16-2008, 11:20 PM
Craig Sanders
 
Default alternatives to suexec in etch apache2

On Sat, Feb 16, 2008 at 01:13:35PM -0500, Dan MacNeil wrote:
> Under sarge, woody & potato we ran modified version of suexec that
> skipped the check for group writable cgi files.

i've never liked suexec. it's way to rigid and unconfigurable. and,
unfortunately, the way it expects vhosts to be set up (esp. directory
layout) is completely unlike the way i set mine up.

i used cgiwrap for a long while, it's far more flexible.


> The problem is that unless the uidID the web server runs as is also a
> login account
>
> Is there a more elegant way to do this under etch ?
>
> The goal is the have cgi scripts that can be group writable
>
> suPhp is about perfect if it worked w/ cgi-bin/*.pl

then i discovered apache2-mpm-itk (last year, i think). it's what i use
now.

it works just like apache2-mpm-prefork except that each virtual
host runs under it's own UID.

works well with normal cgi, php, and libapache2-mod-speedycgi. probably
works with mod_perl too but i don't use that, i don't like using
mod_perl for vhosts. speedy-cgi-perl aka persistent-perl gives me
most of the benefits of mod_perl without the security risk of giving
unfettered access to the apache server (in fact, the mod_perl stuff that
speedy-cgi doesn't give me are precisely the things i don't want vhosts
doing - RW access to apache internals - so there's no loss). and it
works well with HTML::Mason.


the debian package generally lags behind the other apache2 MPM
packages by a few days, so it's a good idea to Hold this package
after installation so it doesn't get uninstalled and replaced by
apache2-mpm-prefork. of course, this is only relevant if you're tracking
testing or unstable.


Package: apache2-mpm-itk
Priority: extra
Section: net
Installed-Size: 488
Maintainer: Steinar H. Gunderson <sesse@debian.org>
Architecture: amd64
Source: apache2-mpm-itk (2.2.6-01-1)
Version: 2.2.6-01-1+b1
Provides: apache2, apache2-mpm, httpd, httpd-cgi
Depends: apache2.2-common (= 2.2.8-1), libapr1, libaprutil1, libc6 (>= 2.7-1), libpcre3 (>= 7.4)
Conflicts: apache2-common, apache2-mpm
Filename: pool/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-01-1+b1_amd64.deb
Size: 191032
Description: multiuser MPM for Apache 2.2
The ITK Multi-Processing Module (MPM) works in about the same way as the
classical "prefork" module (that is, without threads), except that it allows
you to constrain each individual vhost to a particular system user. This
allows you to run several different web sites on a single server without
worrying that they will be able to read each others' files.
.
Please note that this MPM is highly experimental, and is not from the same
tree as the other MPMs.


craig

--
craig sanders <cas@taz.net.au>

Jesus -- The other white meat!


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-17-2008, 04:16 AM
Thomas Goirand
 
Default alternatives to suexec in etch apache2

Craig Sanders wrote:
> On Sat, Feb 16, 2008 at 01:13:35PM -0500, Dan MacNeil wrote:
>> Under sarge, woody & potato we ran modified version of suexec that
>> skipped the check for group writable cgi files.
>
> i've never liked suexec. it's way to rigid and unconfigurable. and,
> unfortunately, the way it expects vhosts to be set up (esp. directory
> layout) is completely unlike the way i set mine up.
>
> i used cgiwrap for a long while, it's far more flexible.

Have you ever try sbox-dtc, that I maintain, for which I contributed
(the SID version now has a config file that I load with libdotconf), and
that is also in Stable? How is it compared to cgiwrap? Does cgi-wrap
supports chroot of the cgi-bin, and does it do setlimit() calls ?

Thomas


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-17-2008, 07:51 PM
Craig Sanders
 
Default alternatives to suexec in etch apache2

On Sun, Feb 17, 2008 at 01:16:04PM +0800, Thomas Goirand wrote:
> Craig Sanders wrote:
> > i've never liked suexec. it's way to rigid and unconfigurable. and,
> > unfortunately, the way it expects vhosts to be set up (esp. directory
> > layout) is completely unlike the way i set mine up.
> >
> > i used cgiwrap for a long while, it's far more flexible.
>
> Have you ever try sbox-dtc, that I maintain, for which I contributed
> (the SID version now has a config file that I load with libdotconf), and
> that is also in Stable? How is it compared to cgiwrap? Does cgi-wrap
> supports chroot of the cgi-bin, and does it do setlimit() calls ?

nope, never tried it. didn't even know it existed until you mentioned
it just now.

can't remember the details of cgiwrap, it's been a year since i used it.

craig

--
craig sanders <cas@taz.net.au>

"Science is a first-rate piece of furniture for a man's upper
chamber, if he has common sense on the ground floor."
[Oliver Wendell Holmes]


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-17-2008, 09:30 PM
Marc Haber
 
Default alternatives to suexec in etch apache2

On Sun, Feb 17, 2008 at 11:20:07AM +1100, Craig Sanders wrote:
> Please note that this MPM is highly experimental, and is not from the same
> tree as the other MPMs.

It's that sentence that has scared me away from apache2-mpm-itk.

On my systems, I have a dedicated apache process per virtual host, and
use another apache as reverse proxy to route incoming requests to the
correct virtual host. But that, of course, doesn't scale very well,
and it not (yet) well supported by the Debian apache2 packages.

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-18-2008, 12:25 AM
Roberto C. Sánchez
 
Default alternatives to suexec in etch apache2

On Sun, Feb 17, 2008 at 11:30:32PM +0100, Marc Haber wrote:
>
> On my systems, I have a dedicated apache process per virtual host, and
> use another apache as reverse proxy to route incoming requests to the
> correct virtual host. But that, of course, doesn't scale very well,
> and it not (yet) well supported by the Debian apache2 packages.
>
That is the approach I take on my systems. The manual hacking I have to
do to make that work is really annoying. Perhaps future versions of the
apache2 package will lend themselves more to this approach.

Regards,

-Roberto

--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
 
Old 02-18-2008, 01:23 AM
Dan MacNeil
 
Default alternatives to suexec in etch apache2

bottom posting.

Craig Sanders wrote:

On Sat, Feb 16, 2008 at 01:13:35PM -0500, Dan MacNeil wrote:
Under sarge, woody & potato we ran modified version of suexec that
skipped the check for group writable cgi files.


i've never liked suexec. it's way to rigid and unconfigurable. and,
unfortunately, the way it expects vhosts to be set up (esp. directory
layout) is completely unlike the way i set mine up.

i used cgiwrap for a long while, it's far more flexible.



[snip]


then i discovered apache2-mpm-itk (last year, i think). it's what i use
now.]

it works just like apache2-mpm-prefork except that each virtual
host runs under it's own UID.

works well with normal cgi, php, and libapache2-mod-speedycgi. probably
works with mod_perl too but i don't use that, i don't like using
mod_perl for vhosts. speedy-cgi-perl aka persistent-perl gives me
most of the benefits of mod_perl without the security risk of giving
unfettered access to the apache server (in fact, the mod_perl stuff that
speedy-cgi doesn't give me are precisely the things i don't want vhosts
doing - RW access to apache internals - so there's no loss). and it
works well with HTML::Mason.


apache2-mpm-itk looks good.

It would allow us to eliminate libapache2-mod-suphp and php4-cgi

The "highly experimental" bit seems like the author is more
cautious than most people..


From the home page

http://mpm-itk.sesse.net/

...It has been running in production for a few years for some
large sites.


Does apache2-mpm-itk require a seperate process for each vhost ?

This was not clear to me from the docs and perhaps others would
be curious.



--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-18-2008, 06:25 AM
Marc Haber
 
Default alternatives to suexec in etch apache2

On Sun, Feb 17, 2008 at 08:25:17PM -0500, Roberto C. Sánchez wrote:
> On Sun, Feb 17, 2008 at 11:30:32PM +0100, Marc Haber wrote:
> > On my systems, I have a dedicated apache process per virtual host, and
> > use another apache as reverse proxy to route incoming requests to the
> > correct virtual host. But that, of course, doesn't scale very well,
> > and it not (yet) well supported by the Debian apache2 packages.
> >
> That is the approach I take on my systems. The manual hacking I have to
> do to make that work is really annoying. Perhaps future versions of the
> apache2 package will lend themselves more to this approach.

I have filed bugs against apache2 with patches against utility scripts
to better support this. A few of them have been recently applied one
or another way in sid, but not all of them. Things are progressing
slowly, but they're moving.

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-18-2008, 08:10 AM
Craig Sanders
 
Default alternatives to suexec in etch apache2

On Sun, Feb 17, 2008 at 11:30:32PM +0100, Marc Haber wrote:
> On Sun, Feb 17, 2008 at 11:20:07AM +1100, Craig Sanders wrote:
> > Please note that this MPM is highly experimental, and is not from
> > the same tree as the other MPMs.
>
> It's that sentence that has scared me away from apache2-mpm-itk.
>
> On my systems, I have a dedicated apache process per virtual host, and
> use another apache as reverse proxy to route incoming requests to the
> correct virtual host. But that, of course, doesn't scale very well,
> and it not (yet) well supported by the Debian apache2 packages.

it's worked well for me for almost a year.

not, i hasten to add, in a high-load situation.

YMMV.


i see that warning as being like the name 'unstable' in debian. it's
there to scare away the careless, those who don't know how to test
things before putting them into production use.

try it on a testbed machine, put it under a crushing load. test how it
works for you.


craig

--
craig sanders <cas@taz.net.au>

BOFH excuse #11:

magnetic interference from money/credit cards


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-18-2008, 08:10 AM
Craig Sanders
 
Default alternatives to suexec in etch apache2

On Sun, Feb 17, 2008 at 11:30:32PM +0100, Marc Haber wrote:
> On Sun, Feb 17, 2008 at 11:20:07AM +1100, Craig Sanders wrote:
> > Please note that this MPM is highly experimental, and is not from
> > the same tree as the other MPMs.
>
> It's that sentence that has scared me away from apache2-mpm-itk.
>
> On my systems, I have a dedicated apache process per virtual host, and
> use another apache as reverse proxy to route incoming requests to the
> correct virtual host. But that, of course, doesn't scale very well,
> and it not (yet) well supported by the Debian apache2 packages.

it's worked well for me for almost a year.

not, i hasten to add, in a high-load situation.

YMMV.


i see that warning as being like the name 'unstable' in debian. it's
there to scare away the careless, those who don't know how to test
things before putting them into production use.

try it on a testbed machine, put it under a crushing load. test how it
works for you.


craig

--
craig sanders <cas@taz.net.au>

BOFH excuse #11:

magnetic interference from money/credit cards


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 04:59 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org