Re: alternatives to suexec in etch apache2

On Sat, Feb 16, 2008 at 01:13:35PM -0500, Dan MacNeil wrote:
> Under sarge, woody & potato we ran modified version of suexec that
> skipped the check for group writable cgi files.

i've never liked suexec. it's way to rigid and unconfigurable. and, unfortunately, the way it expects vhosts to be set up (esp. directory layout) is completely unlike the way i set mine up.

i used cgiwrap for a long while, it's far more flexible.

> The problem is that unless the uidID the web server runs as is also a
> login account
>
> Is there a more elegant way to do this under etch ?
>
> The goal is the have cgi scripts that can be group writable
>
> suPhp is about perfect if it worked w/ cgi-bin/*.pl

then i discovered apache2-mpm-itk (last year, i think). it's what i use now.

it works just like apache2-mpm-prefork except that each virtual host runs under it's own UID.

works well with normal cgi, php, and libapache2-mod-speedycgi. probably works with mod_perl too but i don't use that, i don't like using mod_perl for vhosts. speedy-cgi-perl aka persistent-perl gives me most of the benefits of mod_perl without the security risk of giving unfettered access to the apache server (in fact, the mod_perl stuff that speedy-cgi doesn't give me are precisely the things i don't want vhosts doing - RW access to apache internals - so there's no loss). and it works well with HTML::Mason.

the debian package generally lags behind the other apache2 MPM packages by a few days, so it's a good idea to Hold this package after installation so it doesn't get uninstalled and replaced by apache2-mpm-prefork. of course, this is only relevant if you're tracking testing or unstable.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

Package: apache2-mpm-itk
Priority: extra
Section: net
Installed-Size: 488
Maintainer: Steinar H. Gunderson <sesse@debian.org> Architecture: amd64
Source: apache2-mpm-itk (2.2.6-01-1)
Version: 2.2.6-01-1+b1
Provides: apache2, apache2-mpm, httpd, httpd-cgi Depends: apache2.2-common (= 2.2.8-1), libapr1, libaprutil1, libc6 (>= 2.7-1), libpcre3 (>= 7.4) Conflicts: apache2-common, apache2-mpm
Filename: pool/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-01-1+b1_amd64.deb Size: 191032
Description: multiuser MPM for Apache 2.2  The ITK Multi-Processing Module (MPM) works in about the same way as the  classical "prefork" module (that is, without threads), except that it allows  you to constrain each individual vhost to a particular system user. This  allows you to run several different web sites on a single server without  worrying that they will be able to read each others' files.  .
 Please note that this MPM is highly experimental, and is not from the same  tree as the other MPMs.

craig

-- 
craig sanders 

Jesus -- The other white meat!


-- 
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org