最好的方法来在Linux上沙箱Apache [英] Best way to sandbox Apache on Linux
问题描述
那么什么是最好的,容易设置,易于维护的解决方案在这里?在Debian上设置用户模式的linux沙箱很容易吗?还是chroot监狱?我想从外面方便地访问sadbox内的文件。这是其中一个很明显的事情,我是一个程序员,而不是一个系统管理员。任何帮助将不胜感激!
当您运行完整的沙箱环境时,Chroot jail可能真的不安全。攻击者可以完全访问内核功能,例如可以安装驱动器来访问主机系统。
我建议您使用linux-vserver。你可以看到linux-vserver是一个改进的chroot监狱,里面有一个完整的debian安装。它是一个非常快的,因为它运行在一个单一的内核,所有的代码执行是一个本机。
我个人使用linux-vserver来分离我所有的服务,只有几乎不显着的性能差异。
查看 linux-vserver wiki 安装说明。
regards,Dennis
I have Apache running on a public-facing Debian server, and am a bit worried about the security of the installation. This is a machine that hosts several free-time hobby projects, so none of us who use the machine really have the time to constantly watch for upstream patches, stay aware of security issues, etc. But I would like to keep the bad guys out, or if they get in, keep them in a sandbox.
So what's the best, easy to set up, easy to maintain solution here? Is it easy to set up a user-mode linux sandbox on Debian? Or maybe a chroot jail? I'd like to have easy access to files inside the sadbox from the outside. This is one of those times where it becomes very clear to me that I'm a programmer, not a sysadmin. Any help would be much appreciated!
Chroot jails can be really insecure when you are running a complete sandbox environment. Attackers have complete access to kernel functionality and for example may mount drives to access the "host" system.
I would suggest that you use linux-vserver. You can see linux-vserver as an improved chroot jail with a complete debian installation inside. It is really fast since it is running within one single kernel, and all code execution is one natively.
I personally use linux-vserver for seperation of all my services and there are only barely noticeable performance differences.
Have a look at the linux-vserver wiki for installation instructions.
regards, Dennis
这篇关于最好的方法来在Linux上沙箱Apache的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
