lists at wildgooses.com
Fri Apr 11 21:25:07 MSD 2008
Cliff Wells wrote:
> On Fri, 2008-04-11 at 05:36 -0400, Amer Shah wrote:
>> I'm about to throw the towel in. I was wondering how big a deal is it
>> to not run it in a jail. Is chrooting it sufficient. What do people
>> around here normally
>> do ?
> I usually run it as a normal process (as user nginx). It's the
> applications I worry about more than the web server itself. Since Nginx
> (unlike a typical Apache configuration), doesn't run applications within
> its own process space (unlike Apache's mod_php, mod_python, etc), it's
> fairly easy to run those applicatons under separate users and this
> greatly alleviates many security risks.
Have you played with any MAC schemes, eg grsecurity? Quite good for
locking a user into a defined set of directories and you can even limit
permissions to do stuff like incoming or outgoing net connections (why
would your PHP user need to create an outgoing network connection other
than when the user account is compromised...). This can greatly
decrease the damage an attacher can do
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx