> >
> > > This is a general Unix webserver issue and not specific to
> > > mod_perl, so I've marked your message [OT] for off-topic.
> >
> > Well, workarounds are available for specific webserver environments, so I
> > don't believe it's an inappropriate question.
> >
> > With CGI, you use the suexec mechanism to start executable programs as a
> > particular user. AFAIK you can't impersonate a user on unixy environments
> > without forking a new process. And forking a new process under mod_perl
> > really defeats the purpose.
changing userids has nothing to do with fork()... the problem is simply
that it requires root priviledges, and since you need to give them up
permanently if you're going to run some else's "insecure" code, that
usually means a temporary process... (which typically means fork()ing a
short lived process, so you could make the connection)...
The apache 2.0 model seems to include a mechanism for routing requests to
a group of apache child processes which have _already_ switched to the
target userid... in short, the pre-fork model is extended to have classes
of pre-forked processes... it seems to be a mightly good fix for this
particular problem.
That said, I only took about two minutes reading one of the URLs posted
earlier today, but I got that far and said "that'll work!" and quit
reading until I have time to actually test some of this ...
-Tom
