8 November 2004

Apache

Monday 8 November 2004

Major Upgrade

In the coming weeks we are going to upgrade the webserver software
on matrix from Apache 1 to Apache 2. In the process, we’re making many important
changes to our webserver infrastructure. We expect that this can cause some hiccups,
so we’re currently running new software in test mode. To test your site under
the new webserver, please check out
www.netsoc.tcd.ie:88/~yourname

(replace yourname with your uername, duh).

Here’s a summary of changes we’re introducing:

  • New major Apache version. We’re switching to Apache 2.0, which is the latest
    available version. For more information, read the
    documentation.
  • New minor PHP version. We’re switching to PHP 4.3.9, which is the latest
    available stable version.
  • More PHP modules available. We’ve enabled many more PHP modules. Some of them
    are available as extensions, others are compiled in.
  • Availability of CGI. We’re allowing CGI script execution. Simply create a
    directory ~/www/cgi-bin, then chmod 711 ~/www/cgi-bin, and put
    your cgi scripts in there. To be executed correctly, their names must end in
    .cgi, and their permissions should be set as chmod go-w. The
    scrips need not be world-readable.
  • Execute-as-user. Under the new server, both CGI and PHP scripts execute
    under the user ID of the user who owns them. That’s right, your scripts
    run as a local process launched by you. We’re using
    suEXEC and
    suPHP to achieve this.

Implication of execute-as-user.

Good:

  • Security. You no longer need world-readable files to get your scripts
    to work. You can safely make files containing passwords and such readable only
    by you.
  • Files modified by scripts. You now can run software that needs write access
    to files, such as Gallery, counter scripts, etc, much more securely. Where before
    you had to make files and directories globally-writable (and risk them being overwritten
    by someone malicious), now you don’t need to do anything like that. The scripts should
    just work.
  • Wider range of applications. The new scheme should hopefully let you run a much
    broader range of web applications, much more securely.

Bad:

  • Security. The main potential problem lies in the fact that the scripts run as you.
    So they have exactly the same privileges as you do. Normally this isn’t a problem, however
    if your scripts contain security vulnerabilities you can be in trouble. If someone can force
    your scripts to execute arbitraty files, or even execute commands, the can access all your files
    and hijack your account. You should take care with what scripts you have on your website.
  • Speed. There will be a slight performance penalty for php scripts due to a
    different way they’re treated. Hopefully, it won’t be too noticable.

We will put the new webserver in place in the next few weeks,
which should give everyone plenty of time to check all of their
webpages. The date of changeover will be announced in advance.

If you do find any problems please send the address of
the troublesome page and the details of the problem to the helpdesk