security question.

Ed W lists at
Fri Apr 11 21:25:07 MSD 2008

Cliff Wells wrote:
> On Fri, 2008-04-11 at 05:36 -0400, Amer Shah wrote:
>> I'm about to throw the towel in. I was wondering how big a deal is it
>> to not run it in a jail. Is chrooting it sufficient. What do people
>> around here normally
>> do ?
> I usually run it as a normal process (as user nginx).  It's the
> applications I worry about more than the web server itself.  Since Nginx
> (unlike a typical Apache configuration), doesn't run applications within
> its own process space (unlike Apache's mod_php, mod_python, etc), it's
> fairly easy to run those applicatons under separate users and this
> greatly alleviates many security risks.

Have you played with any MAC schemes, eg grsecurity?  Quite good for 
locking a user into a defined set of directories and you can even limit 
permissions to do stuff like incoming or outgoing net connections (why 
would your PHP user need to create an outgoing network connection other 
than when the user account is compromised...).  This can greatly 
decrease the damage an attacher can do

Ed W
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list