Allowing access to APC is a bad idea security wise

I can see the benefit of requiring a re-authentication before visiting the page, but that should be provided by another module which could do that in a more generic manner.

For the "basic authentication" solution - what should the instructions say in terms of who to give that password to? What do you see as the benefit of basic authentication compared to Drupal's authentication system?

Perhaps an alternative is simply a warning in the pre-installation documentation about what kinds of environments are or are not appropriate to install this module?

Can you help draft the changes you'd like to see? What aspects of access to the page make it a problem - just the "Clean OpCode Cache" button or other parts?

FYI, I added a basic README with your text in 91e50bd. Is it strongly worded enough?

In the mean time I've removed the download link on the main page until we can agree on a warning message of your liking.

Because if the drupal site gets compromised, you compromise all other sites running on the same host. Imagine someone playing with the Clean OpCode Cache button. How will the host and other sites react? It can make all sites on the host unresponsive.

I think this is a pretty contrived possibility. If an attacker has compromised a Drupal site there are already ways to make the host unresponsive (e.g., just flush the Drupal caches repeatedly) and if the attacker has the ability to execute arbitrary PHP code nothing would stop them from calling apc_clear_cache() or even running the apc.php script itself.

Nonetheless, you are correct that this module should not be run in all circumstances.

Perhaps an alternative is simply a warning in the pre-installation documentation about what kinds of environments are or are not appropriate to install this module?

This sounds like a reasonable compromise to me. Can I have some help with the drafting this language?

It can be markdown, but d.o doesn't do anything special with markdown so it's not super useful of pointless.

I mostly agree with @bfroehle regarding using this in an abusive way. If someone has compromised an account on a Drupal site with "administer site configuration" then they can already take it over in a variety of ways. It's true that this would let them take down the whole server whereas "administer site configuration" is just about messing with the current site however on most sites, someone with "administer site configuration" would also have things like "administer users" and/or "use php for block visibility" which would lead to the exploits in the way @bfroehle mentioned. I think the best thing is a solid warning in the README.txt to remind folks that "administer site configuration" should not be given out lightly which, afaict, has mostly been done (though it could be extended).

I'll push it to a sandbox of mine and to github also.

How's that?

Sounds great! Thanks all!

It might be an idea to add an extra permission specifically for the APC report callback and (in D7 at least) set the restrict access option on that permission. That way an extra warning is shown on the permissions page.

It might be an idea to add an extra permission specifically for the APC report callback and (in D7 at least) set the restrict access option on that permission. That way an extra warning is shown on the permissions page (as per attached patch).

it doesn't really add extra security, but should make site maintainers think before granting said permission.

Thanks for your patience, I just got home from a vacation. I've committed your patch in #10 to the 7.x-1.x branch.

Should this be backported to 6.x-1.x?

6.x-1.x doesn't have the same feature, so you can only add a note to README.txt and make the name of the permission scary.

Corrected typo.