Apache ITK vs Suexec

自作多情 提交于 2019-11-30 02:36:35

问题


What is the benefit of using ITK module instead of Suexec running Apache server? The idea is the same, which is to run scripts with owner privileges instead of nobody, www or apache!

Is it better to use ITK in favor of suexec? If so, why? What about security and performance in comparison?


回答1:


MPM-ITK allows you to run Apache with per-user credentials instead of under the Apache user/group. Suexec runs scripts as CGI under a specific user/group, but the static files served by Apache still need more open permissions to be accessed.

MPM-ITK allows all Apache modules (mod_php, etc) to run under a specific user:group with the static files having the same permissions as the scripts. The main downside is Apache's control process has to run as root (with reduced privileges) so it can switch to any user after the request is parsed. Suexec does not have this security risk, but it is only a solution for script execution (not website content isolation).

Here is a blog post with a good summary regarding MPM-ITK vs Suexec and other solutions. The author accepts the security implications of MPM-ITK with the opinion that it out-weighs the drawbacks of the competing solutions. I do not agree with the author that an Apache exploit is less likely to succeed just because the MPM-ITK patch is in use, so I would recommend staying up to date on your security patches (we should anyway, right?) if you are willing to accept the security risk to get the per-user benefit.

In summary, MPM-ITK vs Suexec is really a per-situation decision. The only solution beyond MPM-ITK is per-user Apache instances behind a reverse proxy, if server resources are not a concern. Read more about that here: http://wiki.apache.org/httpd/ExtendingPrivilegeSeparation



来源:https://stackoverflow.com/questions/16712878/apache-itk-vs-suexec

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!