|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [suse-security] Security enhancements with Chrooted Apache?
From: Philippe Vogel (filiaap
freenet.de)
Date: Tue Feb 15 2005 - 14:48:31 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mike Tierney schrieb:
| Yes people can escape from Chroots. There is no extra protextion in
| the SuSE Kernel yet. And trying to apply any 3rd party patches can
| be a real pain (at least for the 2.4 kernel) owing to the extensive
| backports of stuff into it.
|
Is there any proof of concetp or any article on the net, even if you
disable /proc access in chroot-apache?
What about the use of capabilities in that context (and
grsecurity-patches)?
| Look my thread from about a week or two ago called "Extra Chroot
| Protection in SuSE?" or something like that.
|
| If you don't mind running a patched vanilla kernel, take a look at
| www.grsecurity.org. They have done all kinds of nice things like
| make Chroots more secure as well as patching lots of other things
| and implementing some stack smashing protection etc.
|
| Also, if you want REALLY secure separation of applications, then
| I'd recommend something like the linux vserver project
| (www.linux-vserver.org) whereby you can create multiple virtual
| servers with their own IP addresses and capability restrictions,
| etc.
|
| Or check out Solaris 10 x86 which has this feature called
| "Containers" which securely implements the same thing but it's part
| of the OS now rather than an "add-on" or 3rd parth patch. Also
| anyone can now use Solaris 10 x86 as long as they register that
| they are using it!
|
| Hope that helps! :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQD1AwUBQhJgH0Ng1DRVIGjBAQI4OAb+JDqKqTE484gtEnm+dnQj/A5HuSf8KY9T
+A73ggDjgyaXhbNlY+aHFmtL4o4pCUIQwjG078XEivC+2kvHWILuvOygg9FLGY6C
RszPK39Fgv1Lm94X92N1DSLYzGOtCn9m7cxwMasy21k4aWydecyhFzb1cW0FL0tu
cdLK1pQiJTDfH8LUjnzoClOp+6Ln4zZkMuuQxTLnBCNLSi165a+KfCgYM8ZQsLVB
Kxo2VjylqRAQJll/zMe32NZFSwmkmShhQbpfaRvmx8TEd8vCYfp5Wn7sVo/S/6wD
DNVJz4rsTbE=
=q3lk
-----END PGP SIGNATURE-----
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]