Is there another way to run Apache2 securely for end users without using CGI mode?

Question

Is there another way to run Apache2 securely for multiple end users (like hosting hundreds of blogs) without using CGI mode as required by suPHP?

It just seems so inefficient to use CGI mode for PHP when if we could set up permissions properly, we could host PHP through mod_php perhaps?

I mean, I do want to restrict these users to their home directories for their sites, but don't want any security issues.

BTW, I'd like to also make mention of this article, but I still want to know if there's a better way: http://serverfault.com/questions/36867/php-as-cgi-or-apache-module — ServerChecker, Mar 23 '10 at 05:53

score 2 · Accepted Answer · answered Mar 23 '10 at 06:25

PHP support FastCGI out of the box, so you could use mod_fastcgi or mod_fcgid and SuExec to run PHP scripts. It has almost the same performance as mod_php but still will run the scripts in individual user contexts.

You should also read this article series about securing shared hosting platforms.

score 2 · Answer 2 · answered Mar 23 '10 at 06:46

2

I'm looking at MPM-ITK. Each vhost runs as it's own uid:gid. It's a prefork, so there's no threading problems either.

answered Mar 23 '10 at 06:46

jldugger

14,122
19
73
129

1

When using mpm-itk the httpd master process runs with root privileges. For security reasons you want to avoid outward facing services to be run with root privileges usually. – joschi Mar 23 '10 at 07:12

Is there another way to run Apache2 securely for end users without using CGI mode?

2 Answers2