On Thu, Jul 19, 2012 at 10:17 AM, Steinar H. Gunderson <[email protected]> wrote: > Hi, > > I've asked previously on this list about inclusion of mpm-itk > (http://mpm-itk.sesse.net/) into upstream Apache; previously, the requests > have died down, mostly over discussions on security (mpm-itk does > configuration and request parsing as uid 0, although with very limited > capabilities) and arguments along the lines of “there is no need”, > e.g. various people I've talked to feel that there are other adequate > solutions for the problem, including suexec, multiple Apache instances with > reverse proxying, or some GSoC project. > (http://wiki.apache.org/httpd/PrivilegeSeparation even claims you can > keep administrators from reading each others' sites simply by setting > setting chmod 0640, completely ignoring the case where you can run PHP code > or CGI scripts!) > > However, since then mod_privileges have entered Apache trunk, which gives > similar functionality (contradicting the arguments about “no need”), is very > similar in terms of security model (contradicting the arguments about “the > model is too insecure”), but is Solaris-specific, has less functionality (it > lacks per-vhost nicing and per-vhost client limits), and generally seems to > be less mature (e.g., as far as I can see, it fails to adequately handle the > case where the client goes to a different-uid vhost and .htaccess thus is > not readable). > > Furthermore, Fedora has recently accepted the mpm-itk patch into their Apache > packages. This means that nearly every major distributor of Apache now > supports mpm-itk; in particular, Arch, Debian, Fedora, FreeBSD ports, Gentoo, > Mandriva, openSUSE and Ubuntu all include mpm-itk. I do not know of any > module with a similar status, and having them all integrate the patch > separately instead of simply having it in mainline seems wasteful. > > mpm-itk has, despite its non-mainline status, been in production in large > sites for many years (it has been under development since 2005), and should > at this point be considered mature. What would be needed to get it into > mainline?
I personally don't want to think about getting mpm-itk into mainline, but I am interested in the following, which is largely a prerequisite to what you requested: What changes are needed to httpd trunk so that you can build mpm-itk with apxs and enable it via LoadModule, such that mpm-itk is fully functional? As I'm sure you're aware, prefork, worker, and event are all untied from core enough to support that in httpd >= 2.4. > > /* Steinar */ > -- > Homepage: http://www.sesse.net/ > -- Born in Roswell... married an alien... http://emptyhammock.com/
