Date: Sat, 25 Aug 2001 16:22:25 +0200 From: Clemens Hermann <haribeau@gmx.de> To: Bob Martin <bob@buckhorn.net> Cc: BSD-ISP <freebsd-isp@FreeBSD.org> Subject: Re: apache jail Message-ID: <20010825162224.A1051@homer.local> In-Reply-To: <3B87A920.91B65648@buckhorn.net> von Bob Martin <bob@buckhorn.net> am 25.Aug.2001 um 08:33:20 (-0500) References: <20010825113754.A1025@homer.local> <3B87A920.91B65648@buckhorn.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 25.08.2001 um 08:33:20 schrieb Bob Martin: Hi, > The solution that Andrew Matheson post works well if you really want to > use a jail. There is a lot of initial work in creating jails, and jails > use a lot of hard drive space. furthermore there might be a huge overhead (cpu and memory) by running a complete httpd environment for each vhost. Adding a vhost will certainly be far more complicated. > The easiest approach is to use good security. that's what the whole approach is all about, right? :) Imho the system is quite secure so I do not expect great danger with the current situation, I just would like to keep people where they belong. Keeping everybody but root out of the system in general might increase the overall security a lot. > There is an abundant > amount of security documentation for apache and php on the net. I had a closer look, bothered google for the subject but did not find a solution. One of my bigger conderns is that apache/php allows scripts to dig around in my system as any shell-usr might do as well. There is no need (at least if you can offer the perl interpreter etc. anyways) so I would appreciate it a lot if no php/perl/etc-Script could leave what apache defines as document-root. Many ftp-servers offer this feature (chroot after login) which makes much sense in my opinion but if you can bypass this with php and friends it makes far less sense. > Spend some time making sure that the base system is secure. Garfinkel etc. right :) /ch -- "Contrary to popular belief, Unix is user friendly. It just happens to be selective about who it makes friends with." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010825162224.A1051>