Screw those guys from Addison-Wesley! Quote from their book "Apache Webserver 2.0":
[mpm_perchild] is especially useful for big ISPs because they can run their Virtual Hosts under the user and group of their customers
While this is not entirely false, it's not the whole picture. Imagine an ISP with some 300 customers (does that count as large? I doubt that) and a configuration with mpm_perchild like this:
*config config* NumServers 300 #yes that's 300. One for each client *more config*
NameVirtualHost xxx.xxx.xxx.xxx #just assume all on one IP
<Virtualhost xxx.xxx.xxx.xxx> DocumentRoot /var/www/cust0001 ChildPerUserId cust0001 cust0001 1 # that's User, Group and Number of Servers for this combination. This can also go into Global, and doesn't actually change the User and Group for the VHost AssignUserId cust0001 cust0001 # User and group for this VHost </VirtualHost>
<Virtualhost xxx.xxx.xxx.xxx> DocumentRoot /var/www/cust0002 ChildPerUserId cust0002 cust0002 1 AssignUserId cust0002 cust0002 </VirtualHost>
<Virtualhost xxx.xxx.xxx.xxx> DocumentRoot /var/www/cust0003 ChildPerUserId cust0003 cust0003 1 AssignUserId cust0003 cust0003 </VirtualHost>
and so on until cust0300. A `ps -eaf | grep httpd` would then show:
cust0001 3582 3580 0 08:48:08 ? 0:00 /avol1/intranet/apache2/bin/httpd -k start cust0002 3583 3580 0 08:48:08 ? 0:00 /avol1/intranet/apache2/bin/httpd -k start cust0003 3584 3580 0 08:48:08 ? 0:00 /avol1/intranet/apache2/bin/httpd -k start ... cust0300 3882 3580 0 08:48:08 ? 0:00 /avol1/intranet/apache2/bin/httpd -k start
This is but an example for a medium-sized ISP with 300 VHosts. Now, think of BIG ISPs with several THOUSAND VHosts. Okay, they wouldn't run on one machine, but that doesn't eliminate the problem IMO.
Oh, and if you wonder about cgi-scripts. A cgi-script running in /var/www/cust0001/cgi-bin owed by cust0001 with the following content:
echo -e "Content-Type: text/plain\n\n"
echo "PWD: `pwd`" echo "USER: `id`" date >> hello && okay="1" if [ "_$okay" == "_1" ] ; then echo "Okay" else echo "MEEP MEEP" fi
would create the following output:
PWD: /pvol1/icntest/wt0000/cgi-bin USER: uid=43697(infowww) gid=2000(webadmin) MEEP MEEP
So you STILL need the suEXEC wrapper.
And now PLEASE tell me that I'm terribly, TERRIBLY wrong.