At 15:36 29-9-2009, Rasmus Lerdorf wrote:
Ro Achterberg wrote:
> I'm in the midst of setting up my production server, which will be
> running on a fully chrooted non-root LAMP configuration. Due to my high
> demands for performance and security, I've been advised by several
> resources on the net to statically link PHP into Apache. However, all
> information I could find seems to pertain to very old Apache 1.3.x
> configurations, which are no longer compatible with the current
> configure scripts.
That's because statically linking is an outdated idea. There are no
performance nor security benefits. The only reason a traditional static
library is faster than a shared library is because a shared library is
usually build using PIC (Position Independent Code) which adds an offset
lookup table allowing the library to be linked into many different
binaries at the same time. Since libphp5.so is not a general-purpose
shared library, but tied implicitly to a specific SAPI, we build it
non-pic by default which means there is no performance difference.
-Rasmus
Hi Rasmus,
While I totally accept your argument against any supposed increased
performance, I very much dispute that static linking would not have
any security benefits. I think most security researchers would agree
with me that from a security point of view, it would be better to
compile Apache without any module support so as to minimize chances
of hostile code injection. This would obviously have to lead to a
static linking of PHP.
Anyway, thanks for your response. I'll stop trying and use PHP as a
non-PIC DSO.
Bye, Ro
[Index of Archives]
[PHP Users]
[PHP Home]
[PHP on Windows]
[Kernel Newbies]
[PHP Classes]
[Postgresql]
[PHP Books]
[PHP Databases]
[PHP SOAP]