Pingbacks are closed.


  1. Harum

    Harum on #

    Hi Branco, thanks for the writeup, especially about the POSIX ACL.

    I am also evaluating either mod_ruid2 or Apache MPM ITK. Both available on Squeeze. I currently gravitate towards ITK because it allows FastCGI, mod_php, even mod_perl to be contained in a separate user/group. Have you tried/played with ITK?

  2. Branko Majic

    Branko Majic on #

    Glad that you found it useful. I think POSIX ACL is probably best to steer clear from (unless something changes in the standard that'd make it more useful).

    I haven't tested MPM ITK, to be honest. I went for the mod_ruid (and then mod_ruid2) myself based on recommendation from one of the sysadmins I know. Oh, and with mod_ruid2 you can have separate user for anything you serve out there - it's not limited to only PHP. You can even serve static files under different user/group. If you happen to do any kind of performance testing on these two, please let me know, it would be a useful thing to know :)

    Oh, are you sure that mod_ruid2 is available under Squeeze? I've seen it has landed into Wheezy, but looking at Squeeze repos I can't find it (I built the package myself by hand).

    For the record, in the meantime I've realised that many other script modules out there support user/group-switching natively (like mod_passenger or mod_wsgi). mod_php5 is, well, "special" it seems :)

  3. Harum

    Harum on #

    I did some testing today. libapache2-mod-ruid2 is indeed not on Squeeze, sorry my bad.

    MPM ITK also allows us to serve anything under a certain user/group.

    Here are some of the differences I found:

    * With MPM ITK, the Apache child processes are running as root. With mod_ruid2, they are running as www-data. When serving requests, both will switch to specified user/group though.

    * When executing CGI: With MPM ITK, Apache child processes first fork, setuid, then create process once more to execute the CGI script (double fork). With mod_ruid2, the Apache parent process setuid the child to user/group, then the child create process to execute the CGI script (only one new process is created). When serving static pages, no forking is done with both modules.

    * mod_ruid2 is only available on Linux, I think. While MPM ITK should also be available under FreeBSD (which Debian also runs).

    * mod_ruid2's performance for CGI/PHP is slightly better. mod_ruid2's performance for static files is much better, as with MPM ITK static serving suffers a dramatic performance hit. Here are some numbers done with 'ab -n 1000 -c 5' on my PC:

    mpm=prefork, static file: 19241 requests/s
    mpm=prefork, CGI: 1827 requests/s
    mpm=prefork, PHP (mod_php): 15509 requests/s

    mpm=itk, static file: 2565 requests/s (7.5x slowdown compared to prefork!)
    mpm=itk, CGI: 1082 requests/s
    mpm=itk, PHP (mod_php): 1809 requests/s

    mpm=prefork, mod_ruid2, static file: 14975 requests/s
    mpm=prefork, mod_ruid2, CGI: 1869 requests/s
    mpm=prefork, mod_ruid2, PHP (mod_php): 12616 requests/s

    * mod_ruid2 allows specifying extra groups. Not sure if that's useful in most cases, but some might need it.

    I think I'll go with mod_ruid2 for now. Hope that's useful.

    BTW, the captcha is very very hard to see. Took me multiple retries. I almost gave up.

  4. Branko Majic

    Branko Majic on #

    Great, thanks a lot for this performance testing! Seems to be a really huge difference. I'm aware of the Linux-only thing. Unless FreeBSD started supporting the same POSIX.1e extension as well in the meantime (since this extension never left draft, I think POSIX ACL Is part of it as well)?

    I'll have to maybe start using two-factor captcha. I had to increase the captcha difficulty to prevent bots from solving it, but apparently it's too annoying, so I'll have to make it a bit simple and see how many bots manage to solve it.

Comments are closed.