[PLUG] Isolating httpd Applications
Paul Heinlein
heinlein at madboa.com
Thu Sep 2 18:49:00 UTC 2010
On Thu, 2 Sep 2010, drew wymore wrote:
> On Thu, Sep 2, 2010 at 11:15 AM, Rich Shepard <rshepard at appl-ecosys.com> wrote:
>> Is it possible, and practical, to isolate a Web site in a chroot
>> jail that would protect other, internal, applications if the site
>> was cracked?
>>
> Rich -
>
> Funny you ask as I was reading about this very same question last
> night. I haven't tried out the methods described yet so YMMV
>
> http://www.faqs.org/docs/securing/chap29sec254.html
An alternative, if you have spare machines (real or virtual), is to
proxy the application through your public web server to another
machine that's not directly accessible from the Internet and hosts
little information of value.
In your case, I suspect it's overkill, but it's a very handy solution
in those cases where you want to
* delegate administrative privileges to someone who doesn't have the
same privileges on the main web server
* want to ensure that the application can't monopolize CPU or IO
resources the main web server needs to have
* the application requires resources or versions you don't want on
your main web server
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
More information about the PLUG
mailing list