Are there any better alternative to chroot environment? I'm thinking about running nginx on a jailed environment.
BTW, I'm on OpenVZ VPS, so modifying the Kernel is a no-no.
(I think that prevents me from installing SELinux, AppArmor, etc.)
3
-
2Can you clarify your needs? A chroot is usually good enough to jail a server...raphink– raphink2012-02-22 10:23:08 +00:00Commented Feb 22, 2012 at 10:23
-
1Have a look at this answer - it is a bit more general, but I think you'll find information useful in your scenario.rozcietrzewiacz– rozcietrzewiacz2012-02-22 11:05:18 +00:00Commented Feb 22, 2012 at 11:05
-
@Raphink I'm looking for a way to secure my server running on OpenVZ VPS...user269334– user2693342012-02-23 19:08:17 +00:00Commented Feb 23, 2012 at 19:08
Add a comment
|
2 Answers
Forget the myths about how Chroot isn't a security feature... it is integrated as a security feature into mainstream applications of all sizes and flavors for a reason
OpenVZ is itself basically Chroot on Steroids, and this should, or will be, all that you will need. as long as it is done conforming to the Chroot setup standards and typical procedure.
Generally, If you are simply trying to provide an additional layer of security for NGinx, then use Chroot. You are mainly trying to provide privacy between users by doing this, or providing security from poorly coded content management systems.
this helps protect, for a few minor examples, against directory traversal attacks, remote file inclusion bugs, or executing applications on the base system. it can also help protect against any known, unknown, or future NGinx vulnerabilities, by containing damage to the Chroot directory.
with this said, however, be sure to secure your base system, and check what version of NGinx your operating system repositories are using, and compare it against any security advisories that is currently available for NGinx. you may want to compile to latest stable build and use that instead.
there is a useful application by R-FX Networks that can help protect against some kinds of attacks against a running daemon, without using AppArmor, or SELinux. It is called SNIV.
for more information on why Chroot is still a totally valid security tool in today's day and and age; see this answer I recently gave for a more thorough explanation this scenario.
Use Linux Containers, LXC, inside OpenVZ VPS. It's possible.
