Am Fri, 3 May 2013 19:36:33 -0700 (PDT)
schrieb krzf83@gmail.com:
> I've been using apache with suexec and mod_fcgid. It starts php
> handlers as selected system user and listen to request via PIPES
> (fastcgi protocol). It works well but can't share opcode between many
> handlers. I've been investigating php-fpm aproach. What I can see is
> that in only runs as tcp fastcgi server (like 127.0.0.1:9999) (under
> selected system user) and apache has to conenct to it using
> FastCGIExternalServer or fastcgi proxy mod. What the hell will stop
> other local users from connecting to 127.0.0.1:9999 and passing their
> own code to handler that is running as other system user? That seems
> totaly not secure in shared enviroment. Am I missing something or
> what?
AFAIK, you only give a path to the script to the FastCGIExternal-server.
You don't give it the script itself.
If you chroot your php-fpm instances, it's pretty tight.
If you don't allow cron-jobs, it's even tighter (unless someone has a
way to chroot cron).
--
---
You received this message because you are subscribed to the Google Groups "highload-php-en" group.
To unsubscribe from this group and stop receiving emails from it, send an email to highload-php-en+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
schrieb krzf83@gmail.com:
> I've been using apache with suexec and mod_fcgid. It starts php
> handlers as selected system user and listen to request via PIPES
> (fastcgi protocol). It works well but can't share opcode between many
> handlers. I've been investigating php-fpm aproach. What I can see is
> that in only runs as tcp fastcgi server (like 127.0.0.1:9999) (under
> selected system user) and apache has to conenct to it using
> FastCGIExternalServer or fastcgi proxy mod. What the hell will stop
> other local users from connecting to 127.0.0.1:9999 and passing their
> own code to handler that is running as other system user? That seems
> totaly not secure in shared enviroment. Am I missing something or
> what?
AFAIK, you only give a path to the script to the FastCGIExternal-server.
You don't give it the script itself.
If you chroot your php-fpm instances, it's pretty tight.
If you don't allow cron-jobs, it's even tighter (unless someone has a
way to chroot cron).
--
---
You received this message because you are subscribed to the Google Groups "highload-php-en" group.
To unsubscribe from this group and stop receiving emails from it, send an email to highload-php-en+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.