[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Web Server Security

Philippe Vogel wrote:
> By setting rights to programs that may be used by another app (e.g. at
> apache startup) you may alter your configuration.
> Better give apache a restricted bash!
> Try chrooting your apache instead to make it a way more secure.
> Make a chroot-jail by copying ann needed libraries and stuff to
> /var/chroot/apache (/bin, /etc, and so on) and start apache with
> unprivileged user from chroot. This will give script-kiddie no rights
> except within chroot-jail.
At the risk of being accused of spamming again :) this is something that
Novell AppArmor is very good at.

Unlike chroot jails, AppArmor confinement can be applied per CGI
program, so that you don't have to put your entire web site into a
single security container. More over, you can even put individual PHP
pages and mod_perl scripts into individual security containers,
achieving a very high degree of "least privilege" execution per program.

An evaluation version of AppArmor is now included in SUSE Linux 10.0 if
you would like to check it out.

Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here