Hi,
James Strandboge wrote:
...
While we're at systrace, I was wondering - could systrace reduce the risks
associated with running apache with PHP?
Default apache is already chrooted, so systracing it won't be as much of
a win as systracing processes not in a chroot. That said, you can
definitely add another layer and protect your apache chroot area by
systracing it, sure. chrooting and/or systracing every internet facing
server is not a bad idea at all.
Apache forks children with reduced priviledges (user www) while, at the
same time, there's always an Apache process running as root. Therefore,
a useful systrace policy for Apache probably won't be easy to write.
regards,
Andreas
