-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Tierney schrieb: | Yes people can escape from Chroots. There is no extra protextion in | the SuSE Kernel yet. And trying to apply any 3rd party patches can | be a real pain (at least for the 2.4 kernel) owing to the extensive | backports of stuff into it. | Is there any proof of concetp or any article on the net, even if you disable /proc access in chroot-apache? What about the use of capabilities in that context (and grsecurity-patches)? | Look my thread from about a week or two ago called "Extra Chroot | Protection in SuSE?" or something like that. | | If you don't mind running a patched vanilla kernel, take a look at | www.grsecurity.org. They have done all kinds of nice things like | make Chroots more secure as well as patching lots of other things | and implementing some stack smashing protection etc. | | Also, if you want REALLY secure separation of applications, then | I'd recommend something like the linux vserver project | (www.linux-vserver.org) whereby you can create multiple virtual | servers with their own IP addresses and capability restrictions, | etc. | | Or check out Solaris 10 x86 which has this feature called | "Containers" which securely implements the same thing but it's part | of the OS now rather than an "add-on" or 3rd parth patch. Also | anyone can now use Solaris 10 x86 as long as they register that | they are using it! | | Hope that helps! :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQhJgH0Ng1DRVIGjBAQI4OAb+JDqKqTE484gtEnm+dnQj/A5HuSf8KY9T +A73ggDjgyaXhbNlY+aHFmtL4o4pCUIQwjG078XEivC+2kvHWILuvOygg9FLGY6C RszPK39Fgv1Lm94X92N1DSLYzGOtCn9m7cxwMasy21k4aWydecyhFzb1cW0FL0tu cdLK1pQiJTDfH8LUjnzoClOp+6Ln4zZkMuuQxTLnBCNLSi165a+KfCgYM8ZQsLVB Kxo2VjylqRAQJll/zMe32NZFSwmkmShhQbpfaRvmx8TEd8vCYfp5Wn7sVo/S/6wD DNVJz4rsTbE= =q3lk -----END PGP SIGNATURE-----