security question.

Cliff Wells cliff at develix.com
Fri Apr 11 23:18:30 MSD 2008


On Fri, 2008-04-11 at 18:25 +0100, Ed W wrote:
> Have you played with any MAC schemes, eg grsecurity?  Quite good for
> locking a user into a defined set of directories and you can even
> limit permissions to do stuff like incoming or outgoing net
> connections (why would your PHP user need to create an outgoing
> network connection other than when the user account is
> compromised...).  

Actually that's not true.  Many web apps need to open an outgoing
network connection (for example, to fetch an RSS feed, process a credit
card, use OpenID, check a blog comment against akismet, etc).

But yes, I've investigated these things a bit and agree they can help
with security.  Unfortunately they also tend to make fixing things
become a lot more obscure.  Now when an app fails you must ask whether
it's firewall rules, security framework rules, or simply an application
error.

IMHO it's much easier to setup a VPS (e.g. OpenVZ) than to fiddle with
most of the security frameworks (the most common question about SELinux
is how to disable it).  You get adequate isolation at minimal cost, and
your app runs in a fairly standard environment.

Regards,
Cliff






More information about the nginx mailing list