By Alasdair Lumsden on 14 Nov 2008
Nick Kew, who works for Sun on their Web Stack project, has just posted on the Webstack Discuss Mailing List about an exciting new Solaris-specific Apache HTTPD module they have been working on. Rather than paraphrase, he posted:
I’ve just introduced mod_privileges to Apache HTTPD trunk.
This is a platform-specific module for Solaris 10 and OpenSolaris, that makes the webserver privileges(5)-aware. This enables the server to be run with enhanced security, and with different settings per virtual host.
The feature likely to be of most interest is that it enables different virtual hosts to run under different Unix user and group IDs, using the VHostUser and VHostGroup directives. This is the capability once promised by the “perchild” MPM.
It has one major drawback: it is not suitable for a threaded MPM. However, it is ideally suited for use with PHP, which of course also precludes threads. It should also be of interest to anyone hosting other in-process scripting environments such as mod_perl, mod_python or mod_ruby, or application modules.
This is a really exciting module. Being able to give each VirtualHost it’s own user and group is a killer feature for shared hosting companies, who traditionally have had the nightmare of all PHP scripts running under the Apache user. Although solutions exist, such as php-suexec, they are cumbersome and CGI based, and thus typically slow or memory/process intensive. This kind of Apache module sounds like it has the potential to offer a really slick way of solving this particular problem.
Unfortunately it’s in the Apache HTTPD 2.3 trunk, so yet to be released into the wild. But I’m looking forward to this becoming production-ready in a future release.