> fastcgi proxy mod. What the hell will stop other local users from
> connecting to 127.0.0.1:9999 and passing their own code to handler
> that is running as other system user? That seems totaly not secure in shared
> enviroment. Am I missing something or what?
The point your missing is 'shared environment', weather this is cli php where requests are passed or a tcp port makes no difference.
By default any local(external) user should be a limited user, also limited what and where php code comes from, second, the php process should be isolated and limited and even process separated from the webserver.
If you are thinking in a environment where everyone can do whatever they want then securing a php handler is pointless. The same goes for running anything as root, nginx, php or otherwise.
> connecting to 127.0.0.1:9999 and passing their own code to handler
> that is running as other system user? That seems totaly not secure in shared
> enviroment. Am I missing something or what?
The point your missing is 'shared environment', weather this is cli php where requests are passed or a tcp port makes no difference.
By default any local(external) user should be a limited user, also limited what and where php code comes from, second, the php process should be isolated and limited and even process separated from the webserver.
If you are thinking in a environment where everyone can do whatever they want then securing a php handler is pointless. The same goes for running anything as root, nginx, php or otherwise.