What chroot() is really for
Posted Oct 5, 2007 11:56 UTC (Fri) by Klavs
In reply to: What chroot() is really for
Parent article: What chroot() is really for
Chroot definetely has it's uses in the security field.
The apache example is a good one. One should always have several layers of security, and putting apache in a chroot is such a layer - and a good one at that. The "risk" of someone finding a bug in some website software is VERY high - even if it's your own software and you've been security conscious - we all make mistakes, and also new bugs is found in PHP and other languages all the time.
Also - it is a VERY good idea to mount /tmp none-executable (if in a chroot - there's a limit to what the executable can do though :) and to have a seperate DB-user for the user (ie. what the casual browser/internet user sees) and the admin section, and remember the principle of least privilege.
to post comments)