security question.

Ed W lists at
Sat Apr 12 00:26:27 MSD 2008


> Actually that's not true.  Many web apps need to open an outgoing
> network connection (for example, to fetch an RSS feed, process a credit
> card, use OpenID, check a blog comment against akismet, etc).

True - lots don't need to though!  You just add the userid into a group 
if they can see the network, otherwise they can't.  Quite simple.  
Running servers and clients are two seperate permissions with grsec, so 
for example you can allow them to check openid, but deny running an IRC 

> But yes, I've investigated these things a bit and agree they can help
> with security.  Unfortunately they also tend to make fixing things
> become a lot more obscure.  Now when an app fails you must ask whether
> it's firewall rules, security framework rules, or simply an application
> error.

Yep.  True.  Also if you are using VPS style containers then it's also 
easier to temporarily drop the firewall rules and drop the security to 
debug (another tick for VPS containers!)

> IMHO it's much easier to setup a VPS (e.g. OpenVZ) than to fiddle with
> most of the security frameworks (the most common question about SELinux
> is how to disable it).  You get adequate isolation at minimal cost, and
> your app runs in a fairly standard environment.

Well actually you get no extra protection against your app being broken 
into to, you just limit the damage caused.

I use linux vservers and I think they are *excellent*.  Best feature I 
like is that you can simply copy the container, boot it up and test an 
upgrade of config change, then blow it away again.  I move all the 
shared files to a seperate mount (eg /var/www/ in a web app container) 
and that way only the OS needs to be duplicated.

I have never got the hang of SELinux though - seems very complicated, 
but potentially very brilliant.  I don't use all of grsec, but it's a 
better fit to my way of thinking.  I like the look of the Suse stuff 
(AppArmour, etc), but it's not a supported option under gentoo.

Good luck

Ed W

More information about the nginx mailing list