Philippe Vogel wrote:
By setting rights to programs that may be used by another app (e.g. at apache startup) you may alter your configuration. Better give apache a restricted bash! Try chrooting your apache instead to make it a way more secure.
Make a chroot-jail by copying ann needed libraries and stuff to /var/chroot/apache (/bin, /etc, and so on) and start apache with unprivileged user from chroot. This will give script-kiddie no rights except within chroot-jail. At the risk of being accused of spamming again :) this is something that Novell AppArmor is very good at.
Unlike chroot jails, AppArmor confinement can be applied per CGI program, so that you don't have to put your entire web site into a single security container. More over, you can even put individual PHP pages and mod_perl scripts into individual security containers, achieving a very high degree of "least privilege" execution per program. An evaluation version of AppArmor is now included in SUSE Linux 10.0 if you would like to check it out. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com