You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by Nigel Hamilton <ni...@e1mail.com> on 2000/11/17 12:13:08 UTC

Apache::VirtualHostRegistry

Hi,

	Going along ths lines of sharing mod_perl between users for ISPs
.... is there a median position that tempers security concerns/support
costs/hassles etc that a CPAN module could fill?

	I'm thinking of a module like APache::Registry but it segments the
namespace/memory netween virtual servers --- a sandbox that each virtual
host is kept in?


NIge


Nigel Hamilton
______________________________________________________________________________
http://e1mail.com        e1mail - Encrypted 1st Class Mail        e1mail: 1001


On Fri, 17 Nov 2000, Gunther Birznieks wrote:

> I think these are good points.
> 
> However, to some degree, if this is an attempt to allow an ISP protection, 
> it's not because most ISPs offer CGI access to their customers.
> 
> In addition, the moment you give mod_perl access to a developer they have 
> the rights to do a LOT of stuff that goes beyond putting PerlHandlers in an 
> htaccess file.
> 
> It's possible to go through the Apache::Registry package and walk the 
> subroutine tree of precompiled scripts and conceivably figure out stuff 
> about other people's scripts. Actually probably easier to just figure out 
> what packages exist in memory and walk the memory and variables directly. 
> If some of those variables are config vars, then oh well.
> 
> In fact, I should think it is conceivable that one mod_perl script could 
> theoretically replace another mod_perl script within the Apache::Registry 
> by manipulating the global variables within Apache::Registry.
> 
> So in other words, if you can't have a semblance of trust your developers 
> against each other, then mod_perl simply cannot be configured in a way that 
> developers can truely share the same web server.
> 
> However, I don't think many people advocate sharing mod_perl web servers in 
> teh real world with apache 1.3. When Apache and mod_perl 2.0 come out, I 
> suspect the new architecture will allow very cool things like Perl 
> Interpreter segmentation among virtual hosts. But until that happens, 
> there's really not much you can do.
> 
> It seems to me that mod_perl wasn't really designed for safety against your 
> own developers doing something malicious. And most if not all people pretty 
> much run their servers that way. Most people who run mod_perl run it as 
> their own dedicated server.
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: modperl-unsubscribe@apache.org
> For additional commands, e-mail: modperl-help@apache.org
>

Re: Apache::VirtualHostRegistry

Posted by Matthew Byng-Maddick <mb...@colondot.net>.

On Fri, 17 Nov 2000, Gunther Birznieks wrote:
> At 11:15 AM 11/17/00 +0000, Matthew Byng-Maddick wrote:
> >man jail() on FreeBSD 4.
> But then you lose the benefits of having shared apache processes among many 
> shared users many of whom may have very non-busy web sites. No?

Yes, but this is the only way to reliably have security with mod_perl in
such a way as they can't interfere with anyone else's code.

MBM

-- 
Matthew Byng-Maddick   Home: <mb...@colondot.net>  +44 20  8981 8633  (Home)
http://colondot.net/   Work: <ma...@codix.net> +44 7956 613942  (Mobile)
In California they don't  throw their  garbage away  --  they make it into
television shows.                             -- Woody Allen, "Annie Hall"

Re: Apache::VirtualHostRegistry

Posted by Gunther Birznieks <gu...@extropia.com>.

At 11:15 AM 11/17/00 +0000, Matthew Byng-Maddick wrote:
>On Fri, 17 Nov 2000, Nigel Hamilton wrote:
> >       Going along ths lines of sharing mod_perl between users for ISPs
> > .... is there a median position that tempers security concerns/support
> > costs/hassles etc that a CPAN module could fill?
>
>I wouldn't do it like that.

Regardless of wanting to do it like that, I dont think you can do it like 
that. Perl code can't truly segment other arbitrarily written Perl code yet.

The way to do it is as I said in my last post. You need Apache 2.0/mod_perl 
2.0 so that you can explicitly designate perl interpeter pools to be 
assigned to certain virtual hosts.

> >       I'm thinking of a module like APache::Registry but it segments the
> > namespace/memory netween virtual servers --- a sandbox that each virtual
> > host is kept in?
>
>man jail() on FreeBSD 4.

But then you lose the benefits of having shared apache processes among many 
shared users many of whom may have very non-busy web sites. No?

Re: Apache::VirtualHostRegistry

Posted by Matthew Byng-Maddick <mb...@colondot.net>.

On Fri, 17 Nov 2000, Nigel Hamilton wrote:
> 	Going along ths lines of sharing mod_perl between users for ISPs
> .... is there a median position that tempers security concerns/support
> costs/hassles etc that a CPAN module could fill?

I wouldn't do it like that.

> 	I'm thinking of a module like APache::Registry but it segments the
> namespace/memory netween virtual servers --- a sandbox that each virtual
> host is kept in?

man jail() on FreeBSD 4.

MBM

-- 
Matthew Byng-Maddick   Home: <mb...@colondot.net>  +44 20  8981 8633  (Home)
http://colondot.net/   Work: <ma...@codix.net> +44 7956 613942  (Mobile)
In California they don't  throw their  garbage away  --  they make it into
television shows.                             -- Woody Allen, "Annie Hall"