On 06/14/2013 08:40 AM, Rafnews issued this missive:
On 14.06.2013 13:21, Rafnews wrote:
On 14.06.2013 13:18, Reindl Harald wrote:
Am 14.06.2013 12:35, schrieb Rafnews:
however using my standard fedora user account, Ii still can not
edit/remove/move
files/folders owned by apache user account. while searching on
internet i discovered
that fastCGI should allow me (using my fedora user account) to do
such thing, even
if files/folders are owned by apache user account
this has *nothing* to with mod_php oder fastcgi
the permissions are how they are
* man setfacl
* man chown
* man chgrp
* man chmod
and by the way - the apache user should *not* own the files because
typically a webserver should not be able to rewrite his content
files in case of a security breach
2 of our webserver hosting companies told us that if we want to have
files own by some other user account than apache, it is needed to have
fastCGI..if not, than we need suPHP or suExec.
However it has been told that FastCGI provide also a performance
increase so, we would like to reach it also :)
thx everybody for helping me. that's really interesting topic.
till now i understood that suPHP or suExec exist just in order to allow
user not having permissions to save/edit or remove files/folder from
public_html where only apache had such permissions.
it seems that my understanding was wrong.
For clarification, FastCGI runs PHP as a separate process rather than
as part of Apache ("mod_php5"). It forks PHP off, then communicates
with the PHP instance via either Unix-domain sockets or TCP
connections. PHP returns results back over that pipe which Apache then
presents to the browser.
This permits you to use one of the multithreaded MPM models of Apache
(e.g. "worker" or "event"), thereby giving you the increased
performance. Note that you are HIGHLY cautioned to NOT use one of the
multithreaded MPMs when running PHP as a part of Apache. The problem is
that PHP is not thread safe (well, PHP itself is, but depending on what
PHP is built with, some of the libraries it uses aren't thread safe).
Running PHP as a separate process permits you to run Apache
multithreaded but keep PHP single-threaded.
You can also run PHP as a different user than Apache is. For example,
we typically run Apache as user "apache" but PHP as user "admin". You
can then have different file ownerships for static content (owned by
"apache") and dynamic content (owned by "admin"). Since files would be
written by PHP, the directories that might be poked would only have to
have write permissions granted for "admin".
If you want even more security, you can have PHP run on a physically
separate box than Apache is running on. You use TCP connections to
communicate between them. Only the machine running PHP needs write
access to the content, so you put the dynamic content on the PHP box
and use an NFS read-only export to the web server boxes. That way the
webservers can't poke the content at all. If you manage the security
on the PHP box well (e.g. don't expose it to the Internet), then you
are fairly secure.
"Just because I'm paranoid doesn't mean they aren't out to get me!"
In our experiments, we've also found that using PHP-FPM to manage PHP
is superior to using the various other methods.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- Political Correctness: The insane doctrine that postulates that it -
- is entirely possible to pick up a turd by the clean end. -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org