mod_perl configuration for ISP/webhost (disabling mod_perl access for normal users)

[David Garamond <da...@icqmail.com>]

i've read the modperl@perl.apache.org archive (mainly the "security 
suggestion" thread in nov 2000). it seems that quite a few people 
(including me, recently) want to install mod_perl. usually they need 
mod_perl because they want to write apache modules in perl instead of c 
(including me; i really hate writing c code). for example, i'm 
contemplating on writing a custom log handler; previously i'm doing 
custom logging via piped logs, but i think i want to move this inside 
the apache process.

unfortunately, these people are unable to do so because mod_perl would 
expose the server internals to normal users. i glanced at the mod_perl 
1.27 source code and saw that many perl commands are still set at OR_ALL 
(allowed in .htaccess). for example: PerlHandler, PerlRequire, 
PerlSetEnv, etc. in an ISP/shared webhosting environment this is 
unacceptable. in general they want cgi execution to be wrapped and
users not having access to mod_perl at all via .htaccess. heck, i don't 
even want users to *be aware* that mod_perl is there. i want mod_perl to 
be available just for *me* (the webhost/isp admin). no Apache::Registry 
for them, no Perl*Handler, no nothing; since all of them are "unsafe".

so i'm proposing an ISP_MODE/WEBHOST_MODE/ADMIN_MODE (or whatever) 
configure option that if enabled will make most (all?) of the OR_ALL to 
RSRC_CONF. i will probably be producing a patch for our own needs 
internally.

--
dave