On 25 October 2011 00:43, Christian Pedaschus <chris / s-4-u.net> wrote:
> On 10/24/2011 12:23 AM, Michal Suchanek wrote:
>> Hello,
>>
>> On 22 October 2011 23:55, Jorge Bo <jorgebo10 / gmail.com> wrote:
>>> Hi,
>>>
>>> I'm a student at the University and currently searching for a
>>> topic for my diploma thesis. I would really like to do something
>>> Ruby-security related. However, i dont have much knowledge about ruby
>>> security i think pehhaps those much involve in Ruby could give me an advice.
>> One thing where Ruby is lacking compared to PHP is user isolation on
>> shared web hosting.
>>
>> This is less of an issue with full machine virtualization becoming
>> commonplace but still poses barrier to entry in implementing Ruby as
>> an alternative to PHP.
>>
>> A good security topic might be evaluating security of shared PHP
>> hosting and either refute there is any security at all or implement
>> comparably secure Ruby plugin suitable for shared hosting in
>> Apache/nginx/other web server.
>>
>> Thanks
>>
>> Michal
>>
> 'thin' and 'unicorn' (just to name some examples) both have built in
> support for chrooting under another uid/gid, and even if they wouldn't,
> nothing is stopping their root from chrooting them manually, so it has
> nothing to do with php at all.
>

I don't think this has anything to do with chrooting.

The mod_php is supposed to work in environment where you have 1000s of
users and each has PHP pages in their home directory.

I don't think spawning 1000s chrooted instances just in case somebody
requested a page of that particular user is viable.

Sure, you can start a chrooted interpreter only when you need one
started as that user.

However, as I understand mod_php it disallows executing external
programs and filters arguments to functions that can open files
instead of chrooting.

Then when one script ends the interpreter can be reset and can run
another script, possibly of completely different web site.

This probably makes it possible to run the web server as single
non-root user, too. That's quite different from saying "yeah, you can
chroot anything".

There are guides on installing mod_php so that such environment works
reasonably. It can be used for both bolt-on "user home pages" on a
shared server and web-hosting only.

Thanks

Michal