Hi, Crispin Cowan wrote:
Dirk Schreiner wrote:
Crispin Cowan wrote:
on the gateway machine. The latter is just as horrible for the security of your firewall as is running X on your firewall. Unless you use AppArmor :)
Oh, you can chroot apache fairly well.
True, if you use any of a variety of confinement mechanisms (chroot, virtual machines (Xen, VMware, UML), AppArmor, SELinux) then you can achieve sufficient confinement of the web server that your firewall could be safe enough. The issue is how easy or difficult it is to achieve that, and to achieve it correctly because if the confinement has holes, then your security is at risk again. Chroot, in particular, has issues with being escapable if it is not configured correctly, so be careful.
I am ;-) Btw. I don`t want to start another discussion thread about AppArmor. But if you have an configuration example handy for securing apache2 on SuSE 10 I would like give AppArmor a chance. Dirk TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl-------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: crispin@novell.com, bruno.cochofel@gmail.com, suse-security@suse.com # Dateianhänge: 0