Apache Today: Perchild: Setting Users and Groups per Virtual HostAug 18, 2000, 15:33 (0 Talkback[s])
(Other stories by Ryan Bloom)
[ Thanks to Kevin Reichard for this link. ]
"One of the biggest problems with administering a major server housing multiple sites is restricting access to the sites to only those people responsible for maintaining a specific site. The reason for this is that all of the Apache child processes run with the same user and group Id. Therefore, all of the files need to be readable, writable, and executable by the user and group that the server is running as. This becomes a much bigger issue when you add CGI and PHP scripts to the site. If those scripts must access private information, then that information must be stored with relatively insecure user and group Ids."
"Apache 1.3 solved this problem by introducing suexec, which introduces other problems and PHP and mod_cgi can not take advantage of it. Apache 2.0 has introduced a new MPM to solve this problem in a more elegant way that all scripts can take advantage of."
"The new MPM is called Perchild, and it is based on the Dexter MPM. This means that a set number of child processes are created and each process has a dynamic number of threads. In this MPM it is possible to specify User and Group IDs for clusters of child process. Then, each virtual host is assigned to run in a specific cluster of child processes. If no cluster of child processes is specified, then the virtual host is run with the default User and Group Ids."