22 Jan 2003 blindcoder   » (Journeyer)


Screw those guys from Addison-Wesley! Quote from their book "Apache Webserver 2.0":

[mpm_perchild] is especially useful for big ISPs because they can run their Virtual Hosts under the user and group of their customers

While this is not entirely false, it's not the whole picture. Imagine an ISP with some 300 customers (does that count as large? I doubt that) and a configuration with mpm_perchild like this:

*config config*
NumServers 300 #yes that's 300. One for each client
*more config*

NameVirtualHost xxx.xxx.xxx.xxx #just assume all on one IP

<Virtualhost xxx.xxx.xxx.xxx> DocumentRoot /var/www/cust0001 ChildPerUserId cust0001 cust0001 1 # that's User, Group and Number of Servers for this combination. This can also go into Global, and doesn't actually change the User and Group for the VHost AssignUserId cust0001 cust0001 # User and group for this VHost </VirtualHost>

<Virtualhost xxx.xxx.xxx.xxx> DocumentRoot /var/www/cust0002 ChildPerUserId cust0002 cust0002 1 AssignUserId cust0002 cust0002 </VirtualHost>

<Virtualhost xxx.xxx.xxx.xxx> DocumentRoot /var/www/cust0003 ChildPerUserId cust0003 cust0003 1 AssignUserId cust0003 cust0003 </VirtualHost>

and so on until cust0300. A `ps -eaf | grep httpd` would then show:

cust0001  3582  3580  0 08:48:08 ?        0:00 /avol1/intranet/apache2/bin/httpd -k start
cust0002  3583  3580  0 08:48:08 ?        0:00 /avol1/intranet/apache2/bin/httpd -k start
cust0003  3584  3580  0 08:48:08 ?        0:00 /avol1/intranet/apache2/bin/httpd -k start
cust0300  3882  3580  0 08:48:08 ?        0:00 /avol1/intranet/apache2/bin/httpd -k start

This is but an example for a medium-sized ISP with 300 VHosts. Now, think of BIG ISPs with several THOUSAND VHosts. Okay, they wouldn't run on one machine, but that doesn't eliminate the problem IMO.

Oh, and if you wonder about cgi-scripts. A cgi-script running in /var/www/cust0001/cgi-bin owed by cust0001 with the following content:


echo -e "Content-Type: text/plain\n\n"

echo "PWD: `pwd`" echo "USER: `id`" date >> hello && okay="1" if [ "_$okay" == "_1" ] ; then echo "Okay" else echo "MEEP MEEP" fi

would create the following output:

PWD: /pvol1/icntest/wt0000/cgi-bin
USER: uid=43697(infowww) gid=2000(webadmin)

So you STILL need the suEXEC wrapper.
And now PLEASE tell me that I'm terribly, TERRIBLY wrong.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!