arne_v wrote: ↑Sun Sep 29, 2024 10:22 pm
Just did some testing.
.
First a note: the PHP kit builds fine on x86-64 with PHP 8.1 - it does not build on Alpha with PHP 5.6 (I don't know if that is worth pursuing as 5.6 is utterly obsolete, but I assume the kit worked with PHP 5 originally).
Originally it was 4.7, PHP 5 was out but I didn't feel like getting it to work on VMS.
PHP works fine. Based on my very limited test.
Static content performance is super. But PHP performance is not super. No surprise as it is CGI based.
So question one: how difficult would it be to create an MST for PHP?
The main issue is memory concerns. You have to size the stack allocation for the threadpool you'd use to service PHP and I don't have a feel for how much stack the zend engine uses. You'd also have to review the request cleanup to make sure there are no memory leaks or other residue from previous requests.
php_cgilib.c actually list 4 ways to use it. You recommend #1 for security reasons. But #3 is the one used by practically all other web servers.
So question two: is the discourage of #3 just general "better safe than sorry" or are there some potential issues for OSU that does not apply to the other web servers using that method.
By default, scripts run as the same username as the web server itself. Too many administrators just find it easier to 'fix' a configuration issue by giving it privileges than figuring out the safe solution. Unix servers have better one-way mechanisms for de-privileging their worker processes.