[CentOS] Apache User Isolation/Perchild, or PHP "chroot"?

Fri May 4 06:34:01 UTC 2007
Scott Lamb <slamb at slamb.org>

On May 3, 2007, at 7:39 PM, Dan Mensom wrote:
> For the benefit of the archives, here is the quick rundown of what  
> I did,
> following mostly the docs at http://fastcgi.coremail.cn/doc.htm:

Thanks; I'll have to look back at your steps if I ever get around to  
setting up SELinux.

>> Now that is a secure option, though not light-weight of course.
>
> Hrmm.. Not necessarily. Last I checked the Xen people were still in  
> the
> process of hardening their kernel APIs to prevent vm guest breakout. I
> don't think the process was completed for 3.0, but I could be wrong..

Well, I hope it is, because I've got a server at a Xen-based virtual  
hosting company containing somewhat sensitive data.

Googling "xen guest breakout" doesn't turn up much. There are people  
saying they haven't formally proven there are no vulnerabilities in  
the design or implementation [1], but that's not too surprising - the  
same's true for the Linux kernel. I basically have to trust Linux  
anyway in the absence of specific bug reports, or I'd get nothing done.

[1] - http://article.gmane.org/gmane.comp.emulators.xen.user/23297

-- 
Scott Lamb <http://www.slamb.org/>