Running Web Servers In A Chroot Jail
in [Setup]
|
From: Artist on 19 Mar 2010 18:56 I have seen the instructions for running Lighttpd in a chroot jail at: http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html These instructions involve a lot of copying of binaries to the jail. This would mean, I assume, that if I were to execute the: apt-get update command the binaries in the jail will not be updated and would have to follow up with a manual operation or script to update the jail. So is there a way to put the server in a chroot jail using apt-get, aptitude or synaptic that would include the jail in the update process? Also it appears that installing a server in a chroot jail is tricky given the frustrations this person has with it: http://redmine.lighttpd.net/boards/2/topics/2433 So I want to know how important it is to run a web server in a jail, and how prevalent jailing it is. -- To reply directly remove the sj. from my email address. This is a spam jammer.
From: Grant on 19 Mar 2010 21:52 On Fri, 19 Mar 2010 15:56:34 -0700, Artist <artist(a)sj.speakeasy.net> wrote: >I have seen the instructions for running Lighttpd in a chroot jail at: >http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html >These instructions involve a lot of copying of binaries to the jail. >This would mean, I assume, that if I were to execute the: >apt-get update >command the binaries in the jail will not be updated and would have to >follow up with a manual operation or script to update the jail. So is >there a way to put the server in a chroot jail using apt-get, aptitude >or synaptic that would include the jail in the update process? > >Also it appears that installing a server in a chroot jail is tricky >given the frustrations this person has with it: >http://redmine.lighttpd.net/boards/2/topics/2433 >So I want to know how important it is to run a web server in a jail, and >how prevalent jailing it is. I don't bother with a jail. Don't run PHP and friends as it is a security risk. A web server with sane permissions and no upload facility is fairly safe. Here I block all but GET and HEAD requests. Also not accept requests to server's IP number, only respond to expected virtual domains. Problem these days is people use templates and packages that they source from the big bad Internet -- then blindly put up stuff without any security audit. Grant.
From: Artist on 19 Mar 2010 22:43 Grant wrote: > On Fri, 19 Mar 2010 15:56:34 -0700, Artist<artist(a)sj.speakeasy.net> wrote: > >> I have seen the instructions for running Lighttpd in a chroot jail at: >> http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html >> These instructions involve a lot of copying of binaries to the jail. >> This would mean, I assume, that if I were to execute the: >> apt-get update >> command the binaries in the jail will not be updated and would have to >> follow up with a manual operation or script to update the jail. So is >> there a way to put the server in a chroot jail using apt-get, aptitude >> or synaptic that would include the jail in the update process? >> >> Also it appears that installing a server in a chroot jail is tricky >> given the frustrations this person has with it: >> http://redmine.lighttpd.net/boards/2/topics/2433 >> So I want to know how important it is to run a web server in a jail, and >> how prevalent jailing it is. > > I don't bother with a jail. Don't run PHP and friends as it is a security > risk. A web server with sane permissions and no upload facility is fairly > safe. Here I block all but GET and HEAD requests. Also not accept requests > to server's IP number, only respond to expected virtual domains. > > Problem these days is people use templates and packages that they source > from the big bad Internet -- then blindly put up stuff without any security > audit. > > Grant. One of my sites will require the ability for members to upload image files. What is meant by "PHP and friends" ? -- To reply directly remove the sj. from my email address. This is a spam jammer.
From: Artist on 19 Mar 2010 22:54 Artist wrote: > Grant wrote: >> On Fri, 19 Mar 2010 15:56:34 -0700, Artist<artist(a)sj.speakeasy.net> >> wrote: >> >>> I have seen the instructions for running Lighttpd in a chroot jail at: >>> http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html >>> >>> These instructions involve a lot of copying of binaries to the jail. >>> This would mean, I assume, that if I were to execute the: >>> apt-get update >>> command the binaries in the jail will not be updated and would have to >>> follow up with a manual operation or script to update the jail. So is >>> there a way to put the server in a chroot jail using apt-get, aptitude >>> or synaptic that would include the jail in the update process? >>> >>> Also it appears that installing a server in a chroot jail is tricky >>> given the frustrations this person has with it: >>> http://redmine.lighttpd.net/boards/2/topics/2433 >>> So I want to know how important it is to run a web server in a jail, and >>> how prevalent jailing it is. >> >> I don't bother with a jail. Don't run PHP and friends as it is a security >> risk. A web server with sane permissions and no upload facility is fairly >> safe. Here I block all but GET and HEAD requests. Also not accept >> requests >> to server's IP number, only respond to expected virtual domains. >> >> Problem these days is people use templates and packages that they source >> from the big bad Internet -- then blindly put up stuff without any >> security >> audit. >> >> Grant. > > One of my sites will require the ability for members to upload image files. > > What is meant by "PHP and friends" ? > My sites will be run by the Drupal CMS. PHP is required for that. -- To reply directly remove the sj. from my email address. This is a spam jammer.
From: The Natural Philosopher on 20 Mar 2010 04:32 Artist wrote: > Artist wrote: >> Grant wrote: >>> On Fri, 19 Mar 2010 15:56:34 -0700, Artist<artist(a)sj.speakeasy.net> >>> wrote: >>> >>>> I have seen the instructions for running Lighttpd in a chroot jail at: >>>> http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html >>>> >>>> >>>> These instructions involve a lot of copying of binaries to the jail. >>>> This would mean, I assume, that if I were to execute the: >>>> apt-get update >>>> command the binaries in the jail will not be updated and would have to >>>> follow up with a manual operation or script to update the jail. So is >>>> there a way to put the server in a chroot jail using apt-get, aptitude >>>> or synaptic that would include the jail in the update process? >>>> >>>> Also it appears that installing a server in a chroot jail is tricky >>>> given the frustrations this person has with it: >>>> http://redmine.lighttpd.net/boards/2/topics/2433 >>>> So I want to know how important it is to run a web server in a jail, >>>> and >>>> how prevalent jailing it is. >>> >>> I don't bother with a jail. Don't run PHP and friends as it is a >>> security >>> risk. A web server with sane permissions and no upload facility is >>> fairly >>> safe. Here I block all but GET and HEAD requests. Also not accept >>> requests >>> to server's IP number, only respond to expected virtual domains. >>> >>> Problem these days is people use templates and packages that they source >>> from the big bad Internet -- then blindly put up stuff without any >>> security >>> audit. >>> >>> Grant. >> >> One of my sites will require the ability for members to upload image >> files. >> >> What is meant by "PHP and friends" ? >> > > My sites will be run by the Drupal CMS. PHP is required for that. > Nothing wrong with PHP per se, its the CMS' and 3rd party libraries that are often the problem. One because they are popular, and therefore worth attacking in the same way M$ is, and two because they are used by people who understand just enough to get them working, but not always enough to get them working PROPERLY and SECURELY.
|
Next
|
Last
Pages: 1 2 3 4 Prev: apt-get and aptitude Next: Fedora 12: Tips for setting up a second monitor? |