Charles Plessy <ple...@debian.org> writes: > In summary:
> - PHP scripts can be executed by Apache httpd through libapache2-mod-php5 or > php5-cgi. Debian recommends libapache2-mod-php5, but there are still > thousands of installations wich report the use of php5-cgi according to the > Popularity Contest statistics. Just to mention, one of the reasons to use php5-cgi instead of libapache2-mod-php5 is that one can achieve much better privilege separation (at the significant cost of speed) by using suexec or something akin to suexec and running scripts via CGI. That's what we do locally at Stanford for our general sandbox web service (as opposed to the more restricted ones that don't allow arbitrary user CGI scripts): we use a locally-modified suexec that also chroots and acquires file system credentials specific to the particular web site. That way, insecure PHP only permits a compromise of that particular web site and not any other hosted on the same servers. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ehn2eq89....@windlord.stanford.edu
