Re: [d-security] Re: Putting Apache, PHP, Tomcat and CGI in a jail
Hi
On Sat, Jan 04, 2003 at 09:00:45PM +0200, Martynas Domarkas wrote:
> Hi, I'm currently trying to use makejail... it does not work very good.
> Simple way is copy /bin/bash with libraries (try ldd /bin/bash to find
> out which libs you need), so you can do chroot /your/chroot/dir. After
> do dpkg -L apache and copy contents of apache package to chroot, also
> repeat it with apache-common, tomcat, libapache-mod-php and so on. Then
A different approach is to use the "sbox" command. It allowes you to not
only chroot each virtual host into it's own space but also runs programs
under different UIDs so that malicious users may not kill other users
processes. If you disable some options and .shtml support and compile
PHP as standalone executable (then works via mod_rewrite as CGI) it
works really fine!
At least it's the least resource consuming method I know that seperates
filesystems and uids for the vhosts.
(although I haven't tested user-mode-linux yet which sounds very
promising, too)
bye,
-christian-
--
Christian Hammers WESTEND GmbH - Aachen und Dueren Tel 0241/701333-0
ch@westend.com Internet & Security for Professionals Fax 0241/911879
WESTEND ist CISCO Systems Partner - Authorized Reseller
Reply to: