From owner-freebsd-questions@FreeBSD.ORG Tue May 9 12:48:28 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D5C016A421 for ; Tue, 9 May 2006 12:48:28 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADABD43D68 for ; Tue, 9 May 2006 12:48:21 +0000 (GMT) (envelope-from jahilliya@gmail.com) Received: by wr-out-0506.google.com with SMTP id 69so1150428wra for ; Tue, 09 May 2006 05:48:21 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=ctSlUjH5oql3UZJ0FcaamE2AwF5qagC89BU13BfHhzYiZmqfI2AGbfifK99rJgNfyVlWEIJlKkd6KD55EkM5X8o7vJqDzd6tFgxmpgE/y5T/IcM59mxgYkB+QpxJxvtLJJW0hvWzB2g8Rgd+ll1Pn+khMRxrhN/OUHda3tZ1k2k= Received: by 10.54.156.10 with SMTP id d10mr3586915wre; Tue, 09 May 2006 05:48:20 -0700 (PDT) Received: by 10.54.134.2 with HTTP; Tue, 9 May 2006 05:48:20 -0700 (PDT) Message-ID: Date: Tue, 9 May 2006 20:48:20 +0800 From: Jahilliya To: "Michael Grant" In-Reply-To: <62b856460605090453o24f7de34ka71fffa392bfdedb@mail.gmail.com> MIME-Version: 1.0 References: <62b856460605090453o24f7de34ka71fffa392bfdedb@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: jails or chroot? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 12:48:28 -0000 On 5/9/06, Michael Grant wrote: > > I host a bunch of websites on my box. Recently I had some problems > with file access problems with php which caused me to look into > putting each of my clients into their own jail or chroot. I have > roughly 100 different domains I'd need to split. > > Has anyone done this for more than a handfull of clients? Using > apache and their "mass virtual hosting", 100 domains is a breeze. But > with a jail or chroot, I need a separate apache process for each > domain. This is going to mean hundreds of apache processes. This > seems unreasonable. Agreed that creation hundreds of chroots or jails would be an administrativ= e nightmare. File access can be solved with suexec (compile apache with suexe= c enabled), this means that for each virtual host entry in your apache config you add User and Group (check http://httpd.apache.org/docs/2.2/suexec.html = or your apache version doc set). This will make each apache process run as the user specified in virtual host entry (not www) allowing you to restrict their access to files with filesystem ACL's and even ugidfw, you could also then setup process/memory restrictions in /etc/login.conf It will also make updating pretty much as standard as it is now. Give it a burl if it sounds like what you need.