klaus++

Alle die mit uns auf Kaperfahrt fahren, müssen Männer mit Bärten sein. Jan und Hein und Klaas und Pit, die haben Bärte, die haben Bärte. Jan und Hein und Klaas und Pit, die haben Bärte, die fahren mit.

  • PHP as Fast-CGI on vhosts under suexec on Apache 2.x
    http://www.akriga.com/web_developer_articles/suexec_php_fcgi_vhost.html

    What problem are we trying to solve? Short answer: security + performance. Long answer: When we started as web developers in late 1999 we were using perl and the Common Gateway Interface (CGI) protocol to deliver interactive websites. Apache allowed perl scripts to run as a particular user which meant that permissions for those scripts could be locked down to 700. In other words only that user could access those scripts. Web developers eventually turned to PHP and the most common way to run PHP was as a module (mod_php.so) which meant PHP scripts ran as an unprivileged user - typically www-data.

    Consequently, PHP scripts and the directories they wrote to had to have less restrictive security permissions. Directories are normally set to 777 and the scripts themselves 644. This is true of all the well-known open source PHP project like Joomla, WordPress, Drupal, Plogger, OSCommerce, Zencart, Moodle, etc. Not only were directories world writeable but any script containing a password was now world-readable.

    With the large scale adoption of Apache virtual hosting there were lots of sites, belonging to lots of users on one machine and their files were now readable by other users.

    Lots of web developers would like to run PHP as a particular user, “suexec” with its tighter permissions model but it is not a common setup despite many articles on the subject. There is definitely a performance hit when running PHP with suexec. To overcome this web developers/sys admins also run PHP scripts using the FastCGI protocol; the Apache implementation of which is called mod_fcgid.

    #web #hébergement #sécurité #PHP