On Wed, Jan 26, 2011 at 17:38, Jay Sprenkle <[email protected]> wrote:
> Good morning,
> I'm putting together a system to support wordpress. I'd like to secure it.
> Do I need to use suphp with a chroot'ed apache 2.2 installation?
> I didn't think so since it will inherit the jail from the apache
> installation.
>
> Thanks for your time
You mention two specific similar technologies. A chroot can be broken
out of by virtue of filesystem manipulations. A BSD Jail has
kernel-level safeguards to help prevent such breakouts. If you're
talking a plain chroot, then this will help mitigate some attacks, and
running apache as an unprivileged user (e.g. www-data or apache or www
or similar distro-default user accounts) helps further, but this is
default anyway.
SuPHP is mainly useful for situations where you can't specify a single
uid for apache to run under, e.g. in a virtual-hosting environment
where you have multiple clients who shouldn't be able to access each
others' data. A chroot or jail has no relationship between your need
or lack thereof for utilising SuPHP.
--
For a situation where you control the whole server and have only one
"client" (the client can be yourself or your company) which is allowed
access to all the web-served files then SuPHP will be meaningless. In
this scenario you would be transferring control from the apache user
(unprivileged) to another (also unprivileged) user, meaning a
redundant change of effective-userid. If I were deploying this
scenario then I would create a user account for the web data to be
served and set apache to impersonate that user itself, thereby
allowing me to utilise mod_php and technologies similar to the APC.
--
Regards,
The Honeymonster aka Daniel Llewellyn
_______________________________________________
suPHP mailing list
[email protected]
https://lists.marsching.com/mailman/listinfo/suphp
