Mattias Segerdahl wrote:
Running php as cgi would still involve unique uid's, and I've got about 30k+virtual users.
Without running under separate UIDs you aren't going to get true separation. With separate UIDs, you can run using SUExec and FastCGI as I'm doing (with a much smaller number of user accounts) and use OS permissions to keep accounts separate.
I don't know what bottlenecks you might run into (for instance if you put 30000 users in the password file), but if I was in your position I would write some management scripts to populate the users table and config files etc, and try to get separate accounts working. Using php.ini to block access is not secure AFAIK. Unless you completely lock it down to the point of non-usefulness, it is simple to defeat. Also, if you allow the use of any CGI scripts, then you need separate users and SUExec to be able to secure users' files from one another.
If I have said anything that is misleading or innacurate I trust and hope that someone will correct me.
- Sam --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|