On Wed, May 03, 2017 at 01:14:08PM +0200, Lentes, Bernd wrote: > I'm astonished that the topic vhosts/hats is so complicated. I read some > articels from german computer magazines about apparmor, and the tenor > was always "it's pretty easy".
Hello Bernd, Simple uses of AppArmor are relatively easy, as you've seen reported. But confining different portions of a program with different permissions is more complicated and most of the time the person writing the profile must know how the internals of the program work. (Which is why aa-logprof creates a bunch of hats for apache by default -- /etc/apparmor/logprof.conf describes a few change_hat-enabled applications and what hats those modifications require.) > What are big companies running a lot of vhosts doing ? Not using apparmor ? The hosters that we've heard of that use hats for their vhosts generate all the hats nearly identically via a script. They allow their users access to expected files and little else. Another choice is to simply confine the whole webserver with one profile and not attempt to subdivide it further. Another choice is to run different webservers for different applications and use a proxy in front of the server to give the impression that they're all running in the same server. I hope this helps. Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
