From: Tom <tom@lemuria.org>
To: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: policy question
Date: Fri, 19 Apr 2002 08:30:28 +0200 [thread overview]
Message-ID: <20020419083028.D11674@lemuria.org> (raw)
In-Reply-To: <20020418214702.BC6CE44E3E@lyta.coker.com.au>; from russell@coker.com.au on Thu, Apr 18, 2002 at 11:47:02PM +0200
On Thu, Apr 18, 2002 at 11:47:02PM +0200, Russell Coker wrote:
> > The point is that the reuse of children makes the "fork and change UID"
> > approach impractical. It works for SSH, but not for apache.
>
> Sure it'll work for Apache!
>
> On an active web server you don't have equal access to all domains, and each
> domain will have it's own load spikes. So if you have co-processes staying
> around for 30 seconds after being used then you won't have too many running
> at once.
Sorry, but this is very much impractical in any real-life situation.
First of all, it would require that apache keep track of which process has
dropped to what UID and hands off incoming requests according to that table,
which needs to get updated at each fork and each SIGCHLD.
Two, it also requires that apache handles load independently for each
UID, instead of globally for the whole server, including spare servers
to start or kill, request-handling and forking of new processes. In
short, a total rewrite of a critical component.
Three, on any mass-hosting server, it will drive memory requirements
through the roof within minutes. My company has webservers with
thousands of users. If just 10% of them get accessed at any given time,
something a few search engine crawls can easily accomplish, we'll have
several hundred apache instances hanging around, and that is without
taking into account spare servers.
Four, you would have to fork() much more often than right now. The sole
reason for apache's spare server concept is that forking is so
expensive, so apache tries to avoid it at all costs. Anything that
introduces a considerable increase in forks can not be a good thing.
Which is why I'm trying to do what I need to do without any forks and
without digging deep into apache's heart. Our discussion gave me an
idea or two that I'll be testing. Thanks for the input.
--
http://web.lemuria.org/pubkey.html
pub 1024D/D88D35A6 2001-11-14 Tom Vogt <tom@lemuria.org>
Key fingerprint = 276B B7BB E4D8 FCCE DB8F F965 310B 811A D88D 35A6
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2002-04-19 6:33 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-04-18 9:22 policy question Tom
2002-04-18 10:44 ` Russell Coker
2002-04-18 12:25 ` Tom
2002-04-18 14:51 ` Russell Coker
2002-04-18 15:15 ` Tom
2002-04-18 15:32 ` Stephen Smalley
2002-04-18 16:21 ` Tom
2002-04-18 18:28 ` Russell Coker
2002-04-18 20:40 ` Tom
2002-04-18 21:47 ` Russell Coker
2002-04-19 6:30 ` Tom [this message]
2002-04-18 16:08 ` Russell Coker
2002-04-18 16:32 ` Tom
2002-04-18 18:47 ` Russell Coker
2002-04-18 20:49 ` Tom
2002-04-18 21:44 ` Russell Coker
2002-04-19 6:14 ` Tom
2002-04-19 9:10 ` Russell Coker
2002-04-19 12:27 ` Tom
2002-04-19 15:02 ` Stephen Smalley
2002-04-18 15:22 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2002-05-02 10:11 Policy question Reino Wallin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020419083028.D11674@lemuria.org \
--to=tom@lemuria.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.