On Thu, 2014-12-04 at 17:03 +0100, Matthias Urlichs wrote: > If you can run a CGI inside a chroot/container/whatever, you can run a > small web server on a local port / Unix socket, and reverse-proxy it, > just as easily. Well that's probably roughly the same, although I'd still feel better if webserver and actual services/programs run with different UIDs, which seems especially important when one also does DB accesses (i.e. access control based on the UID).
> FastCGI is just a slightly more fancy way of doing this. Sure... I didn't meant to exclude FastCGI, but last time I've checked it didn't allow to run different PHP (talking about the PHP fastcgi version now) programs to run with different UIDs (all run with that of FPM)... but maybe I just didn't check carefully enough. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature