2009/4/8 KaiGai Kohei <kai...@ak.jp.nec.com>: > KaiGai Kohei wrote: >> Graham Dumpleton wrote: >>> 2009/4/8 KaiGai Kohei <kai...@ak.jp.nec.com>: >>>> Graham Dumpleton wrote: >>>>> Explain first why using FASTCGI and suexec wouldn't be a better option? >>>> Thease are limited to cgi applications, so we cannot apply such kind >>>> of restriction on the built-in script languages and references on >>>> static documents (like *.html). >>> FASTCGI is not restricted to CGI applications. At least in the sense >>> that FASTCGI allows persistent processes rather than one off processes >>> like CGI. FASTCGI bindings are available for many different languages, >>> including scripting languages, so what 'built-in script languages' are >>> you talking about? The suexec mechanism comes into play as it allows >>> FASTCGI processes to run as a different user than Apache process. >> >> Hmm... I'll try to search for more details of features of FastCGI. >> >> If you have a hint, could you tell for the questions currently I have? >> IIRC, the CGI version of PHP cannot handle applications which write >> out special HTTP headers, such as WWW-Authenticate: or Location:. >> Is it possible to handle correctly in FastCGI? >> I could not find FastCGI support for WebDav. Is it possible to control >> accesses on files using SELinux? > > Hmm... It seems to me FastCGI has same limitation. > The online document introduces that an authenticator program can > be performed to handle authentication phase, but it may require > web applications to be modified. > http://fastcgi.coremail.cn/configuration.htm#Authenticator > > If we don't hesitate to create a new process for each requests, > I have one another idea which does not require new hooks. > In the traditional client-server model, the server process forks > a child process to handle a request come from clients. > If we have such kind of MPM module, a security module can set > an individual privilege at the head of ap_run_handler hook. > > Needless to say, it has performance tradeoff, but we assume users > don't give the highest priority on the performance.
See experimental MPM from Apache 2.0. http://httpd.apache.org/docs/2.0/mod/perchild.html Didn't get carried through to later Apache versions. Graham
