aaronk at umbc
Feb 22, 2012, 5:04 AM
Post #13 of 13
On Tue, Feb 21, 2012 at 6:55 PM, Cees Hek <ceeshek [at] gmail> wrote:
Re: disabling directives in .htaccess files
[In reply to]
> On Mon, Feb 13, 2012 at 11:58 PM, Aaron Knister <aaronk [at] umbc> wrote:
> > Hi Tuomo,
> > I don't mean 80,000 virtual hosts. I have over 80k unix accounts for
> which content is being served via mod_userdir. And I consider each one it's
> own "site". It's critical to the environment that users be prevented from
> specifying handlers in htaccess files in part exactly for the reasons you
> specified. The other issue is the potential for suexec abuse. I only have
> one perl access handler I need to use and it has no global variables.
> Hi Aaron,
> In the end would it not be safer to remove mod_perl all together? You
> don't mention exactly what you are doing with mod_perl so this may not
> be practical, but you do mention you only have one perl access
> handler. Can that not be rewritten in C? Is there no existing third
> party C module that can do what you need (or be modified slightly to
> do what you need)?
> Also, you briefly mentioned <Perl> sections. These are generally
> pretty easy to get around by just pre-generating your apache.conf file
> using a simple perl script and a templating module. This is how I
> understand most people create complex apache.conf files and this is
> how I have always done it.
> It might sound odd for someone to tell you not to use mod_perl on the
> mod_perl mailing list, but I think in your situation a lighter-weight
> solution would save you a lot of headaches.
I think it may be safer to remove mod_perl all together and re-write the
module in C (exactly what I did a few days ago, actually). The support
curve is lower if the handler is written in Perl but the code is simple
enough that I think leaving it in C is a good compromise.
Thanks for the feedback!
Division of Information Technology
University of Maryland, Baltimore County
aaronk [at] umbc