Hi. I have been thinking about puting apache inside a place it cannot harm anything else on the system. We are serving web pages for several projects and we cannot control what every of them do (PHPNuke, PostNuke and friends have their big share of vulnerabilities). I have been reading about two possibilities, among others. * Vserver (http://www.solucorp.qc.ca/miscprj/s_context.hc) A patch for the kernel which provides context creation and jailing, so that processes are controled by the kernel, and can be isolated from other contexts. Allows you to stop/start/restart the vservers, and provides a set of tools to work with them (even to create them). * Chroot The linux system call to jail a subtree. Has to be created and maintained manually. If anyone has experience with the solutions introduced above or has another kind of suggestion... The other problem is how to prepare it: In the case of vserver, it can be done by copying the tree to a new location (/usr/vserverXX/) or just by mounting using --bind flag on mount (allowing a dir to be mounted on to another mount point). Any experience here? Thanks in advance! mooch -- Jesus Climent | Unix System Admin | Helsinki, Finland. web: www.hispalinux.es/~data/ | pumuki.hispalinux.es ------------------------------------------------------ Please, encrypt mail sent to me: GnuPG ID: 86946D69 FP: BB64 2339 1CAA 7064 E429 7E18 66FC 1D7F 8694 6D69 ------------------------------------------------------ Registered Linux user #66350 Debian 3.0 & Linux 2.4.20 Shall I make us a nice cup of tea, Ma'am ? --Mrs. Mills (The others)
Attachment:
pgpdsP1QRkSbB.pgp
Description: PGP signature