Re: security with mod_perl
We use BSD::Resource for our mod_perl clients. Keeps them from eating the machine alive. On another shared machine each client gets their own interpreter with some pretty tight limits on child spawning, open children etc. on top of the Resource limits Shared hosting mod_perl is a real drag to do though unless everyone is pretty low traffic. I'm probably not doing it right, its a 'grown' solution for a few clients, not a huge solution engineering for mass hosting. John- On Wed, 11 Jun 2003 09:58:54 -0700 Mike Zelina [EMAIL PROTECTED] wrote: I have a local hosting provider who has mod_perl installed on the server, but will not enable it for security reasons. After doing some digging on the mod_perl site and thinking about how many ways a renegade mod_perl program could bring down a site (large modules using a lot of memory means larger httpd process, consumes memory, hurts performance, etc.). I couldn't find any documentation on how a host *could* provide mod_perl and do it in a way that would be safe for his server and usable for a client. Maybe some way to restrict memory space or something? One problem I see is that Stat::INC would need to be enabled for everything (at least in the clients sandbox). I guess performance-wise, this would still be way better than straight CGI. Thanks for any help. If there is an M out there for this, please tell me to RTF! I looked into some of the sites listed on the mod_perl providers page on perl.apache.org. However, most of these sites are $99+ per month. My lowly non-profit clients can't afford this much $. I'm debating getting a bunch of non-profits together and do a dedicated server, but I'd rather not do that unless I have to. Thanks, Mike Zelina
RE: security with mod_perl
Not quite a manual, but read some of these discussions on PerlMonks: http://www.perlmonks.org/index.pl?node=mod+perl+isp+hostgo_button=Search mod_perl shared hosting ISPs supporting mod_perl mod_perl: the bane of share webhosting Hope this gives you some answers (not a lot of hope, though) -Sidharth. -Original Message- From: Mike Zelina [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 12:59 PM To: [EMAIL PROTECTED] Subject: security with mod_perl I have a local hosting provider who has mod_perl installed on the server, but will not enable it for security reasons. After doing some digging on the mod_perl site and thinking about how many ways a renegade mod_perl program could bring down a site (large modules using a lot of memory means larger httpd process, consumes memory, hurts performance, etc.). I couldn't find any documentation on how a host *could* provide mod_perl and do it in a way that would be safe for his server and usable for a client. Maybe some way to restrict memory space or something? One problem I see is that Stat::INC would need to be enabled for everything (at least in the clients sandbox). I guess performance-wise, this would still be way better than straight CGI. Thanks for any help. If there is an M out there for this, please tell me to RTF! I looked into some of the sites listed on the mod_perl providers page on perl.apache.org. However, most of these sites are $99+ per month. My lowly non-profit clients can't afford this much $. I'm debating getting a bunch of non-profits together and do a dedicated server, but I'd rather not do that unless I have to. Thanks, Mike Zelina
RE: security with mod_perl
On Wed, 2003-06-11 at 18:09, Sidharth Malhotra wrote: Not quite a manual, but read some of these discussions on PerlMonks: http://www.perlmonks.org/index.pl?node=mod+perl+isp+hostgo_button=Search mod_perl shared hosting ISPs supporting mod_perl mod_perl: the bane of share webhosting Hope this gives you some answers (not a lot of hope, though) You can get nice virtual servers from only 15 GBP / month ( probably about the same in merkan money for similar hosting in the US ). Quite why anybody would want shared hosting when you can have a virtual server (usually with ensim and stuff for newbies) for such a low ammount of money. http://www.bytemark-hosting.co.uk do some good deals and discounts for free software author and seem nice people. -- Aaron Trevena, BSc (Hons) --- Software Engineer Tusker Direct :: www.tuskerdirect.com
Re: security with mod_perl
On Wed, 2003-06-11 at 12:58, Mike Zelina wrote: I couldn't find any documentation on how a host *could* provide mod_perl and do it in a way that would be safe for his server and usable for a client. I was just talking about this with my co-workers. Here's one way: Set up a front-end apache with mod_proxy. Have it proxy all requests for /~user (or whatever) to an unprivileged port assigned to that user (or a name-based virtual host). Give each user their own mod_perl on that port/host that they can do what they want with, since it runs as an unprivileged user (themselves). However, it's quite possible that this is more trouble and less value than the virtual server setups people are selling these days. - Perrin
Re: security with mod_perl
Perrin Harkins wrote: On Wed, 2003-06-11 at 12:58, Mike Zelina wrote: I couldn't find any documentation on how a host *could* provide mod_perl and do it in a way that would be safe for his server and usable for a client. I was just talking about this with my co-workers. Here's one way: Set up a front-end apache with mod_proxy. Have it proxy all requests for /~user (or whatever) to an unprivileged port assigned to that user (or a name-based virtual host). Give each user their own mod_perl on that port/host that they can do what they want with, since it runs as an unprivileged user (themselves). You still have a problem to limit available resources. On some platforms BSD::Resource/Apache::Resource can solve this as John has suggested. However, it's quite possible that this is more trouble and less value than the virtual server setups people are selling these days. __ Stas BekmanJAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide --- http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
Re: security with mod_perl
Aaron Trevena wrote: [...] http://www.bytemark-hosting.co.uk do some good deals and discounts for free software author and seem nice people. Please submit ISPs that support mod_perl and/or virtual servers. so we can add them to: http://perl.apache.org/help/isps.html I've added the one mentioned above by Aaron. __ Stas BekmanJAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide --- http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com