[Mono-list] mod_mono and userdir

[Eran Sandler]

Hi Patrik,

In most cases the servers are used to serve applications not multiple
users running multiple applications (at least in the business world) so
perhaps it is something that can be delayed for a while.

Regarding IIS 6, it has a few configurations:
- Running all applications on a single Application Host (similar to the
medium isolation level in IIS 5.0 which ran all application under the
same dllhost process.

- Defining an Application Host for a single application (similar to IIS
5.0 high isolation level which actually had a process per high isolation
application).

- Defining a Web Garden which hosts several applications on the same
Application Host (a new feature in IIS 6.0).

- Working in IIS 5.0 compatibility mode which has ONE single Application
Host per all the application running on this server.

Regarding the security issues, impersonation of a user for a process
doesn't require that much in UNIX/Linux right? I haven't done this
myself in UNIX/Linux but I presume it shouldn't be that hard.


I know it might be a lot of work but unless given other possibilities
with similar functionality for running ASP.NET (both applications and
Web Services), people would be forced to take IIS 6.0 (there is also a
specific Windows 2003 version for the web with web acceleration in the
kernel).

Don't forget that Microsoft is improving Windows in such ways that in a
certain point it might be a worthy adversary for Linux in the web
market.=20
The current implementation of mod_mono is similar to IIS 5.0 and
ASP.NET. It might seem that IIS is a server that simply support ASP.NET
in version 6.0 it is getting a little bit close (even too close) to be
an integral part of .NET and we must accommodate this whole by supply
this missing functionality.

After all ASP.NET applications that will run on IIS 6.0 in a certain
configuration will be expected to run the same way on mod_mono under
Apache.

I know that a customer of the company I work for did agree on installing
a Windows 2000 machine to be a web server but didn't want to hear about
IIS. He did agree to install Apache.=20
This marks an important point that we might be able to take some
"market-share" but making all of this work in Microsoft's back yard,
Windows.

Eran

-----Original Message-----
From: Torstensson, Patrik [mailto:patrik.torstensson@intel.com]=20
Sent: Thursday, March 13, 2003 11:46 AM
To: Eran Sandler; Steinar Herland; Daniel Lopez; mono-list@ximian.com
Subject: RE: [Mono-list] mod_mono and userdir

Hi Eran,

> An apache module will hide this kind of functionality from=20
> the user. An HttpModule must be registered in the web.config=20
> file, thus forcing every application that needs to handle=20
> this to add that line.
>
> Putting this code at the Apache module level removes the need=20
> to add the configuration to the web.config file.
> After all, it seems logical that in Windows almost no one=20
> will use it and if they do it will be in a very different way.
>=20
> Why make them some extra job of removing lines from the web.config?
> After all, it is not imperative to have such functionality in=20
> Windows (even on Apache on Windows).

I'm not sure on that, I think there is solutions out there that would
like to have that on Windows to. I have made IIS Filters to fix that
before for customers.
=20
> I think that it is important to implement multiple paths per=20
> Application Host. This kind of behavior will probably be=20
> required by users that will be familiar with IIS 6.=20

I don't think so. IIS 6 has multiple Application Hosts (one per running
application) in an farm. We should support the same kind of
functionality but it's a lot of work to construct that for Apache but it
will bring Apache to the same level as IIS 6 when it comes to
application isolation.
=20
> It might also be necessary to allow the host to run on a=20
> different user (if this it is possible). For enhanced=20
> security we will need to run the host on different=20
> credentials so the Application Host we have very limited=20
> access to resources.

Again, there is a lot of work to create this kind of isolation but when
it's done you can easily support running each app host with different
users.
=20
Cheers,=20
 Patrik