From owner-freebsd-isp Sat Aug 25 7:22:40 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mailout05.sul.t-online.de (mailout05.sul.t-online.com [194.25.134.82]) by hub.freebsd.org (Postfix) with ESMTP id 777C037B40C for ; Sat, 25 Aug 2001 07:22:37 -0700 (PDT) (envelope-from haribeau@gmx.de) Received: from fwd07.sul.t-online.de by mailout05.sul.t-online.de with smtp id 15aeKZ-0002yl-03; Sat, 25 Aug 2001 16:22:35 +0200 Received: from asterix.local (320080844193-0001@[217.80.84.60]) by fmrl07.sul.t-online.com with smtp id 15aeKQ-0afpPkC; Sat, 25 Aug 2001 16:22:26 +0200 Received: (qmail 819 invoked from network); 25 Aug 2001 14:22:25 -0000 Received: from homer.local (HELO homer.local.nlocal) (192.168.1.50) by 0 with SMTP; 25 Aug 2001 14:22:25 -0000 Received: (nullmailer pid 1173 invoked by uid 1100); Sat, 25 Aug 2001 14:22:25 -0000 Date: Sat, 25 Aug 2001 16:22:25 +0200 From: Clemens Hermann To: Bob Martin Cc: BSD-ISP Subject: Re: apache jail Message-ID: <20010825162224.A1051@homer.local> Mail-Followup-To: Clemens Hermann , Bob Martin , BSD-ISP References: <20010825113754.A1025@homer.local> <3B87A920.91B65648@buckhorn.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B87A920.91B65648@buckhorn.net> von Bob Martin am 25.Aug.2001 um 08:33:20 (-0500) X-Mailer: Mutt 1.2.5i (FreeBSD 4.3-RELEASE i386) X-Sender: 320080844193-0001@t-dialin.net Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am 25.08.2001 um 08:33:20 schrieb Bob Martin: Hi, > The solution that Andrew Matheson post works well if you really want to > use a jail. There is a lot of initial work in creating jails, and jails > use a lot of hard drive space. furthermore there might be a huge overhead (cpu and memory) by running a complete httpd environment for each vhost. Adding a vhost will certainly be far more complicated. > The easiest approach is to use good security. that's what the whole approach is all about, right? :) Imho the system is quite secure so I do not expect great danger with the current situation, I just would like to keep people where they belong. Keeping everybody but root out of the system in general might increase the overall security a lot. > There is an abundant > amount of security documentation for apache and php on the net. I had a closer look, bothered google for the subject but did not find a solution. One of my bigger conderns is that apache/php allows scripts to dig around in my system as any shell-usr might do as well. There is no need (at least if you can offer the perl interpreter etc. anyways) so I would appreciate it a lot if no php/perl/etc-Script could leave what apache defines as document-root. Many ftp-servers offer this feature (chroot after login) which makes much sense in my opinion but if you can bypass this with php and friends it makes far less sense. > Spend some time making sure that the base system is secure. Garfinkel etc. right :) /ch -- "Contrary to popular belief, Unix is user friendly. It just happens to be selective about who it makes friends with." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message