On 06/14/2013 08:40 AM, Rafnews issued this missive:
On 14.06.2013 13:21, Rafnews wrote:On 14.06.2013 13:18, Reindl Harald wrote:Am 14.06.2013 12:35, schrieb Rafnews:however using my standard fedora user account, Ii still can not edit/remove/move files/folders owned by apache user account. while searching on internet i discovered that fastCGI should allow me (using my fedora user account) to do such thing, even if files/folders are owned by apache user accountthis has *nothing* to with mod_php oder fastcgi the permissions are how they are * man setfacl * man chown * man chgrp * man chmod and by the way - the apache user should *not* own the files because typically a webserver should not be able to rewrite his content files in case of a security breach2 of our webserver hosting companies told us that if we want to have files own by some other user account than apache, it is needed to have fastCGI..if not, than we need suPHP or suExec. However it has been told that FastCGI provide also a performance increase so, we would like to reach it also :)thx everybody for helping me. that's really interesting topic. till now i understood that suPHP or suExec exist just in order to allow user not having permissions to save/edit or remove files/folder from public_html where only apache had such permissions. it seems that my understanding was wrong.
For clarification, FastCGI runs PHP as a separate process rather than
as part of Apache ("mod_php5"). It forks PHP off, then communicates
with the PHP instance via either Unix-domain sockets or TCP
connections. PHP returns results back over that pipe which Apache then
presents to the browser.
This permits you to use one of the multithreaded MPM models of Apache
(e.g. "worker" or "event"), thereby giving you the increased
performance. Note that you are HIGHLY cautioned to NOT use one of the multithreaded MPMs when running PHP as a part of Apache. The problem is that PHP is not thread safe (well, PHP itself is, but depending on what PHP is built with, some of the libraries it uses aren't thread safe). Running PHP as a separate process permits you to run Apache multithreaded but keep PHP single-threaded. You can also run PHP as a different user than Apache is. For example, we typically run Apache as user "apache" but PHP as user "admin". You can then have different file ownerships for static content (owned by "apache") and dynamic content (owned by "admin"). Since files would be written by PHP, the directories that might be poked would only have to have write permissions granted for "admin". If you want even more security, you can have PHP run on a physically separate box than Apache is running on. You use TCP connections to communicate between them. Only the machine running PHP needs write access to the content, so you put the dynamic content on the PHP box and use an NFS read-only export to the web server boxes. That way the webservers can't poke the content at all. If you manage the security on the PHP box well (e.g. don't expose it to the Internet), then you are fairly secure. "Just because I'm paranoid doesn't mean they aren't out to get me!" In our experiments, we've also found that using PHP-FPM to manage PHP is superior to using the various other methods. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - Political Correctness: The insane doctrine that postulates that it - - is entirely possible to pick up a turd by the clean end. - ---------------------------------------------------------------------- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
