[PLUG] Isolating httpd Applications

Paul Heinlein heinlein at madboa.com
Thu Sep 2 18:49:00 UTC 2010


On Thu, 2 Sep 2010, drew wymore wrote:

> On Thu, Sep 2, 2010 at 11:15 AM, Rich Shepard <rshepard at appl-ecosys.com> wrote:

>>  Is it possible, and practical, to isolate a Web site in a chroot 
>> jail that would protect other, internal, applications if the site 
>> was cracked?
>>
> Rich -
>
> Funny you ask as I was reading about this very same question last
> night. I haven't tried out the methods described yet so YMMV
>
> http://www.faqs.org/docs/securing/chap29sec254.html

An alternative, if you have spare machines (real or virtual), is to 
proxy the application through your public web server to another 
machine that's not directly accessible from the Internet and hosts 
little information of value.

In your case, I suspect it's overkill, but it's a very handy solution 
in those cases where you want to

* delegate administrative privileges to someone who doesn't have the
   same privileges on the main web server

* want to ensure that the application can't monopolize CPU or IO
   resources the main web server needs to have

* the application requires resources or versions you don't want on
   your main web server

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/


More information about the PLUG mailing list