Hey. On Wed, 2012-05-23 at 20:05 +0800, Thomas Goirand wrote: > This isn't the only way. I run PHP using sbox-dtc (a CGI wrapper), and a > chroot template mounted using AUFS. Has of course the "problem" of setting up and maintaining the chroot... but a nice idea nevertheles.
> This is very efficient, and you > don't need to run each PHP program under a different user (since all > scripts are executed in a chroot). Phew... well I wouldn't trust chroot's to be break-out secure... and there are things where the chroot alone doesn't help you, e.g. when you want to do access control on a DB, and only a specific user should be allowed to access a specific DB. > Please don't assume that *your* config is the one that everyone uses (or > the only one which is safe). Of course... I'm always open for ideas how to tighten things up even more. But I still like my PHP programs to run each under their own users. I also wouldn't run postfix and e.g. ssh as the same user just because I jailed them by other means. Best wishes, Chris.
smime.p7s
Description: S/MIME cryptographic signature
