[Catalyst] Cached TT w/mod_perl issue? Or just a Toby-bug?

Toby Corkindale tjc at wintrmute.net
Wed Sep 28 13:18:06 CEST 2005


On Wed, Sep 28, 2005 at 12:54:49PM +0200, Aaron Ross wrote:
> Hi Toby,
> 
> >>*  You can make Apache start as the apache user and not change ID.
> >
> >
> >Apache starts as root on almost every Linux distro; requiring that 
> >sysadmins
> >hack their servers to start as a certain user, just to run our app, is a
> >suggestion that will not fly.
> 
> I actually think there is a useful idea buried in the noise. If you run 
> your site using a reverse proxy you can, and probably should, run your 
> apache/mod_perl process as a non-privileged user.

*nods* I'm familiar with Squid accelerators, although we're not using one
on this project. I can see that one can get around the port-80 issue with one
though, or by using some firewall rules for that matter.

I'd still prefer to keep running Apache as per the "Standard Way" though; I'm
not convinced that having it start as a non-root-uid is noticeably more secure
than not, esp. compared to the extra administration hassles involved. 

Thanks for the mention of it though.

People have mentioned delaying the TT initialisation until after Apache's uid
swap. This sounds like a reasonable solution to me, but I'm worried about
retaining compatibility with the non-mod_perl Catalyst instances. It's useful
to be able to still access the other Catalyst engines for debugging or in case
we find a need to move to another platform later.

I'm hoping to find an elegant way to achieve this.

Thanks,
Toby

-- 
Turning and turning in the widening gyre/The falcon cannot hear the falconer;
Things fall apart, the centre cannot hold/Mere anarchy is loosed upon the world
(gpg --keyserver www.co.uk.pgp.net --recv-key B1CCF88E)



More information about the Catalyst mailing list