coderofsalvation
commented
9 years ago Hi Thanks for your message. If the goal is to improve security (hiding /etc/shadow /etc/passwd ) for scripting languages, I would suggest using apache's user-module in conjunction with chroot:
http://serverfault.com/questions/451011/isolating-apache-virtualhosts-from-the-rest-of-the-system
Every virtual host could be assigned to a global jail or a user/virtualhost specific jail. Debootstrap-container (which lets users have their own container, so they can install their own packages) is not needed imho.
kind regards,
Leon
On Wed, Dec 10, 2014 at 6:10 PM, Chris Coleman notifications@github.com wrote:
Any idea if debootstrap-container would work as a way to fully isolate apache virtual hosts into their own container on openvz? If not would you be interested in giving it a go? The idea is for each virtual host to be locked in its own jail type container (the virtual host folder).to prevent a maliciously uploaded php shell from browsing the entire openvz container, and reading sensitive system files like /etc/shadow and /etc/passwd, other virtual host folders, which contain database usernames and passwords, global configs and access credentials for ldap, imap servers, etc.... Note There is a commercial product which does this fully, but an open source alternative would be awesome.
— Reply to this email directly or view it on GitHub https://github.com/coderofsalvation/debootstrap-container/issues/1.
Any idea if debootstrap-container would work as a way to fully isolate apache virtual hosts into their own container on openvz? If not would you be interested in giving it a go? The idea is for each virtual host to be locked in its own jail type container (the virtual host folder).to prevent a maliciously uploaded php shell from browsing the entire openvz container, and reading sensitive system files like /etc/shadow and /etc/passwd, other virtual host folders, which contain database usernames and passwords, global configs and access credentials for ldap, imap servers, etc.... Note There is a commercial product which does this fully, but an open source alternative would be awesome.