[CentOS] Apache User Isolation/Perchild, or PHP "chroot"?
Scott Lamb
slamb at slamb.org
Fri May 4 06:34:01 UTC 2007
On May 3, 2007, at 7:39 PM, Dan Mensom wrote:
> For the benefit of the archives, here is the quick rundown of what
> I did,
> following mostly the docs at http://fastcgi.coremail.cn/doc.htm:
Thanks; I'll have to look back at your steps if I ever get around to
setting up SELinux.
>> Now that is a secure option, though not light-weight of course.
>
> Hrmm.. Not necessarily. Last I checked the Xen people were still in
> the
> process of hardening their kernel APIs to prevent vm guest breakout. I
> don't think the process was completed for 3.0, but I could be wrong..
Well, I hope it is, because I've got a server at a Xen-based virtual
hosting company containing somewhat sensitive data.
Googling "xen guest breakout" doesn't turn up much. There are people
saying they haven't formally proven there are no vulnerabilities in
the design or implementation [1], but that's not too surprising - the
same's true for the Linux kernel. I basically have to trust Linux
anyway in the absence of specific bug reports, or I'd get nothing done.
[1] - http://article.gmane.org/gmane.comp.emulators.xen.user/23297
--
Scott Lamb <http://www.slamb.org/>
More information about the CentOS
mailing list