阿帕奇ITK VS的SuExec [英] Apache ITK vs Suexec

问题描述

什么是使用的好处的 ITK 的模块来代替的的SuExec 的运行Apache服务器？我们的想法是一样的，这是运行具有所有者权限，而不是脚本的人的 WWW 或阿帕奇的！

What is the benefit of using ITK module instead of Suexec running Apache server? The idea is the same, which is to run scripts with owner privileges instead of nobody, www or apache!

是它更好地使用的 ITK 的赞成的的suexec 的吗？如果是这样，为什么？有关在比较安全和性能是什么？

Is it better to use ITK in favor of suexec? If so, why? What about security and performance in comparison?

推荐答案

MPM-ITK让你与每个用户的凭据，而不是Apache用户/组下运行Apache。 suEXEC的运行脚本作为CGI在一个特定的用户/组，而是由阿帕奇服务的静态文件仍然需要访问更多的开放权限。

MPM-ITK allows you to run Apache with per-user credentials instead of under the Apache user/group. Suexec runs scripts as CGI under a specific user/group, but the static files served by Apache still need more open permissions to be accessed.

MPM-ITK允许所有Apache模块（mod_php，并且等）发送到特定用户下运行：与具有相同的权限脚本的静态文件组。其主要缺点是Apache的控制过程具有以root身份运行（与减少的权限），所以请求被解析后，可以切换到任何用户。 suexec的不具有此安全风险，但它仅仅是对脚本执行（未网站内容隔离）中的溶液

MPM-ITK allows all Apache modules (mod_php, etc) to run under a specific user:group with the static files having the same permissions as the scripts. The main downside is Apache's control process has to run as root (with reduced privileges) so it can switch to any user after the request is parsed. Suexec does not have this security risk, but it is only a solution for script execution (not website content isolation).

下面是一篇博客文章与有关MPM-ITK VS的SuExec和其他解决方案的一个很好的总结。笔者接受MPM-ITK与它出重竞争解决方案的缺点的意见对安全的影响。我不同意笔者的阿帕奇攻击是不太可能，因为MPM-ITK补丁在使用刚刚接替同意，所以我会建议保持最新的安全补丁（我们应该反正吧？），如果你是愿意接受安全风险来获取每个用户的利益。

Here is a blog post with a good summary regarding MPM-ITK vs Suexec and other solutions. The author accepts the security implications of MPM-ITK with the opinion that it out-weighs the drawbacks of the competing solutions. I do not agree with the author that an Apache exploit is less likely to succeed just because the MPM-ITK patch is in use, so I would recommend staying up to date on your security patches (we should anyway, right?) if you are willing to accept the security risk to get the per-user benefit.

总之，MPM-ITK VS的SuExec真的是每个局势决策。超越MPM-ITK唯一的解决办法是在反向代理每用户Apache的情况下，如果服务器资源是不是一个问题。了解更多关于在这里：​​<一href=\"http://wiki.apache.org/httpd/ExtendingPrivilegeSeparation\">http://wiki.apache.org/httpd/ExtendingPrivilegeSeparation

In summary, MPM-ITK vs Suexec is really a per-situation decision. The only solution beyond MPM-ITK is per-user Apache instances behind a reverse proxy, if server resources are not a concern. Read more about that here: http://wiki.apache.org/httpd/ExtendingPrivilegeSeparation

这篇关于阿帕奇ITK VS的SuExec的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！