lists at wildgooses.com
Sat Apr 12 00:26:27 MSD 2008
> Actually that's not true. Many web apps need to open an outgoing
> network connection (for example, to fetch an RSS feed, process a credit
> card, use OpenID, check a blog comment against akismet, etc).
True - lots don't need to though! You just add the userid into a group
if they can see the network, otherwise they can't. Quite simple.
Running servers and clients are two seperate permissions with grsec, so
for example you can allow them to check openid, but deny running an IRC
> But yes, I've investigated these things a bit and agree they can help
> with security. Unfortunately they also tend to make fixing things
> become a lot more obscure. Now when an app fails you must ask whether
> it's firewall rules, security framework rules, or simply an application
Yep. True. Also if you are using VPS style containers then it's also
easier to temporarily drop the firewall rules and drop the security to
debug (another tick for VPS containers!)
> IMHO it's much easier to setup a VPS (e.g. OpenVZ) than to fiddle with
> most of the security frameworks (the most common question about SELinux
> is how to disable it). You get adequate isolation at minimal cost, and
> your app runs in a fairly standard environment.
Well actually you get no extra protection against your app being broken
into to, you just limit the damage caused.
I use linux vservers and I think they are *excellent*. Best feature I
like is that you can simply copy the container, boot it up and test an
upgrade of config change, then blow it away again. I move all the
shared files to a seperate mount (eg /var/www/ in a web app container)
and that way only the OS needs to be duplicated.
I have never got the hang of SELinux though - seems very complicated,
but potentially very brilliant. I don't use all of grsec, but it's a
better fit to my way of thinking. I like the look of the Suse stuff
(AppArmour, etc), but it's not a supported option under gentoo.
More information about the nginx