Hi, A serious doubt has come into my mind. One of suPhp security issues is
that, Apache in order to use PHP under certain privileges launches a
wrapper as root and then this wrapper changed its uid into the interested
one. So an attacker that takes control of the wrapper before it changes its
uid, may deal serious damage to the system.

So...

HOW does Php-Fpm generate per-pool processes? By a brief look to the
source, especially fpm_worker_pool.h and fpm_unix.c seems like that Fpm
master process does a similar thing: Fpm master process as root forks
itself and then calls setuid with the given uid at the conf file. Many
sites say that fpm is more secure than suPhp, but at this time seems they
share a similar structural problem. If I understood this correctly, does
Fpm have the same security issues as suPhp, or there is something that I am
missing?

Regards

--

---
You received this message because you are subscribed to the Google Groups "highload-php-en" group.
To unsubscribe from this group and stop receiving emails from it, send an email to highload-php-en+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

There are always security issues when running any process as root, the point is to run them as a restricted user, php can run as a permanent process that processes calls without having to restart or exit using a socket or tcp port. If you need more then one php process create a pool as round robin or assigned as geographic ip pool.