Slashdot Mirror

← Back to Stories (view on slashdot.org)

Covalent's Version of Apache 2.0 To Drop Monday

Posted by timothy on from the this-will-get-confusing dept.

kilaasi points out this CNET story about the planned release on Monday of Apache 2.0, "or at least the version that has proprietary extensions. Covalent sells the core of Apache and its own extensions which make it easier to adapt for specific areas and simpler to administer. Covalent is confident that the next generation Apache is mature and is ready for prime time. Covalent employs some of the core members of the Apache-development-team." XRayX adds a link to Covalent's press release, writing: "It's not clear when the Open Source Edition (or whatever) will come out and I didn't find anything at the official Apache Site." Update: 11/10 16:37 GMT by T : Note that the product name is Covalent Enterprise Ready Server; though it's based on Apache software, this is not Apache 2.0 per se. Thanks to Sascha Schumann of the ASF for the pointer.

10 of 85 comments (clear)

  1. Static PHP + scripts running as users by chrysalis · · Score: 5, Informative

    One of the most annoying thing in Apache 1.x is that when PHP is compiled in the server (not run through the CGI), all scripts are running as "www", "nobody", or whatever anonymous user your Apache daemon is running as.
    There's no way to have PHP script run as different users (just like what suexec does for spawning CGI external progs) .
    Sure, PHP has a so-called "safe-mode", but it's still not that secure, especially when it comes to creating files or acess shared memory pages.
    I was told that Apache 2.0 had a mechanism that could make user switching for PHP scripts possible. Has anyone experimented with it?

    --
    {{.sig}}
    1. Re: Static PHP + scripts running as users by Akardam · · Score: 3, Informative

      There's no way to have PHP script run as different users (just like what suexec does for spawning CGI external progs)

      Actually, there is. You have to use PHP in CGI mode, where it ISN'T compiled into Apache as a module. I've never used it in that mode myself (I only have one simple PHP script on my entire server); however, a search on google for php+suexec turns up some info. Apparently, CGI mode does work, but not quite as well as module mode (some people seem to indicate that it runs like a dog).

    2. Re:Static PHP + scripts running as users by cehf2 · · Score: 4, Informative
      With any application running on a web server there is a trade off between performance and security. because the PHP module is running inside the core of the web server, it should be fairly fast, however if you want the ability to change what users the php scripts run as, your only option is to use CGI scripts. CGI by its very nature is *very* slow. This is due to the overhead of the fork/exec/load program.

      You may also be able compile PHP as a FastCGI program, you could then run several external FastCGI's as different users and configure Apache to run the particular script with a particular FastCgi program. I have no idea how to do this with apache, as I use Zeus myself.

      If Apache 2 does have a way to switch users for PHP scripts, it will not be secure. Under UNIX, once you have dropped your permissions you can never gain them again. The work around is to have 'real' and 'effective' users that programs run as. As long as you only change your efective user, you can re-gain permissions, but anything can regain permissions. You can also only change users when you are root. This would be a big security hole, in that if there was a buffer overflow attack root could trivially be optained by anyone.

      security, performance, configurability - pick 2

  2. Apache has released 2.0 betas by Kenny+Austin · · Score: 1, Informative

    "It's not clear when the Open Source Edition (or whatever) will come out and I didn't find anything at the official Apache Site."

    Here is apache 2.0 documentation and you can download 2.0.16 (public beta) or 2.0.18 (it's an alpha).. but what do you want them to open source? The 2.0 core (it is) or the proprietary enhancements (yeah right).

    Kenny


    at least slashdot didn't change my urls into http://slashdot.org/httpd.apache.org this time.

    1. Re:Apache has released 2.0 betas by huftis · · Score: 5, Informative
      It's not clear when the Open Source Edition (or whatever) will come out and I didn't find anything at the official Apache Site.

      Apache Week has more information on this:

      Those waiting since April for a new 2.0 beta will have to keep on waiting after another release candidate, 2.0.27, was abandoned this week when a bug was discovered while running the code on the live apache.org server. Some httpd processes were found to be stuck in infinite loops while reading POST requests; the bug was traced to the code handling request bodies. After fixes for this bug and a build problem on BSD/OS were checked in, the tree was tagged ready for a 2.0.28 release.
  3. Re:At $1495 per CPU by GC · · Score: 4, Informative

    Yes quite, for those of you who just want to download Apache 2.0, compile it and have it running by the time you could have bought the package from Covalent, go here

  4. mod_perl by m_ilya · · Score: 2, Informative
    What about all of the cool API stuff and plugins, I suppose they all have to be rewritten? Mod_rewrite, mod_perl, etc, etc, yes?

    AFAIK Apache's API have been changed and indeed all its modules should be rewritten for new Apache.

    I don't know about all modules but here some info about mod_perl. There is already exist rewrite of mod_perl for Apache 2.0 with threads support. It has many tasty features. Check yourself.

    --

    --
    Ilya Martynov (http://martynov.org/)

  5. Re:Can threads really beat fork(2)? by Furry+Ice · · Score: 2, Informative
    Programming threads is just as hard as programming with processes on a conceptual level. The type of problems you encounter are the same.

    This makes it sound as if the two models have equivalent obstacles, and that neither is easier than the other. It's true that separate processes are used for stability reasons, but that stability isn't gained only because one process can crash without taking all other processes with it. The main problem with threads that doesn't exist with processes is with shared memory. All variables on the heap can potentially be accessed by two threads at any given time, and access to them must be synchronized. Bugs related to these race conditions can be very hard to track down, and many people would rather forego the problem entirely and just use processes.
  6. -1 FUD by jslag · · Score: 2, Informative
    Look at Ken Coar's editorial in the last Apache Week. The ASF is spinning their wheels at this point.


    The article
    in question says nothing of the sort. It notes that the development processes of apache have changed over the years, with associated wins and losses.


    Why has IIS taken over the SSL market? Because it ships with EAPI.


    Thanks for the laugh.

  7. Re:does anyone know if the newest beta of apache2 by Jeff+Trawick · · Score: 2, Informative
    painful question :( various folks have tried running threaded on FreeBSD... we got weird symptoms that nobody has had time/skills to track down... sadly, I think a FreeBSD pthreads guru is going to need to build a threaded Apache 2.0 and debug it... maybe we're just tickling FreeBSD pthreads the wrong way and a small change would take care of it... maybe current FreeBSD pthreads just can't support threaded Apache... I dunno

    even prefork (non-threaded) MPM with a thread-safe APR doesn't work right on FreeBSD... if I recall correctly, the parent process was eating lots of CPU in some sort of signal code...