Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [suse-security] Security enhancements with Chrooted Apache?
From: Philippe Vogel (filiaapfreenet.de)
Date: Tue Feb 15 2005 - 14:48:31 CST
-----BEGIN PGP SIGNED MESSAGE-----
Mike Tierney schrieb:
| Yes people can escape from Chroots. There is no extra protextion in
| the SuSE Kernel yet. And trying to apply any 3rd party patches can
| be a real pain (at least for the 2.4 kernel) owing to the extensive
| backports of stuff into it.
Is there any proof of concetp or any article on the net, even if you
disable /proc access in chroot-apache?
What about the use of capabilities in that context (and
| Look my thread from about a week or two ago called "Extra Chroot
| Protection in SuSE?" or something like that.
| If you don't mind running a patched vanilla kernel, take a look at
| www.grsecurity.org. They have done all kinds of nice things like
| make Chroots more secure as well as patching lots of other things
| and implementing some stack smashing protection etc.
| Also, if you want REALLY secure separation of applications, then
| I'd recommend something like the linux vserver project
| (www.linux-vserver.org) whereby you can create multiple virtual
| servers with their own IP addresses and capability restrictions,
| Or check out Solaris 10 x86 which has this feature called
| "Containers" which securely implements the same thing but it's part
| of the OS now rather than an "add-on" or 3rd parth patch. Also
| anyone can now use Solaris 10 x86 as long as they register that
| they are using it!
| Hope that helps! :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here