<br><span class="gmail_quote"><br></span><span class="q"><span class="gmail_quote">On 4/8/08, <b class="gmail_sendername">Matt Juszczak</b> <<a href="mailto:matt@atopia.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">matt@atopia.net</a>> wrote:</span><blockquote class="gmail_quote" style="margin-top: 0; margin-right: 0; margin-bottom: 0; margin-left: 0; margin-left: 0.80ex; border-left-color: #cccccc; border-left-width: 1px; border-left-style: solid; padding-left: 1ex">
Hi all,<br><br> Been sick for a day or so so if my email sounds a bit choppy, sorry!<br><br> I'm about to setup (well, ok, I actually did just setup) a new webserver<br> for my side ventures. This server will have managed and self-managed<br>
webhosting.<br><br> In the past, I've never really chrooted and/or jailed processes - I have<br> to do it once or twice per customer request, but never on my own boxes as<br> a general security policy. I'm usually really good at keeping boxes<br>
patched and up to date, etc. But this box is going to have about 20<br> webhosting customers - both managed and un managed. Some of these users<br> will of course be uploading their own content via SFTP or FTP, and for all<br>
I know the security of their PHP scripts, etc. may be "not so good".<br><br> What does everyone here usually do in securing those boxes? Do you<br> usually setup jails/chroots for the webserver processes, etc., or do you<br>
rely on internal settings in things like php.ini to maintain security for<br> your public webservers?<br><br> Thanks!<br><br> -Matt</blockquote></span><div><br>I don't think you can rely on php.ini settings to provide you security.<br>
The very least I suggest is to at least be running several light web server processes with<br>each as a separate low-priv user. You could probably do well to use mount_nullfs + jails<br>to create separate chroot jails that share the same /usr directories. You could create on<br>
master jail where you set up and install Apache/Lighttpd, PHP and whatever else you want.<br>Then for each client jail, you make sure that it has a super minimal loadout (no binaries the<br>client wouldn't ever need), and have a script to mount_nullfs read-only each /usr subdir in<br>
the master jail to the client jails, except for /usr/local/etc.<br><br>This way, you will only have to update software in your master jail. The updates will immediately<br>propagate, since all the other jails are null-mounted to the same /usr directory. And you also ensure<br>
that none of the resources (shared stuff in /usr/local/share, libraries in /usr/lib, /usr/local/lib) can be<br>tampered with since every client jail has these directories mounted read-only.<br><br>The client jails each have their own fstab.<jail>, if I remember correctly. So your script can just<br>
make modifications to those.<br><br>This is at least for FreeBSD 6.2, I doubt that it's changed for 7.0.<br><br>Perverse and probably over-complicated, but that setup has worked well for me in the past.</div><br>