1

I want to sandbox multiple web applications hosted on the same server. To test my scenario I configure an Apache web server on a local machine with web apps hosted on that machines. One of the web apps is vulnerable and I want to contain the vulnerable web application within its own shell and do not interfere with the rest of web apps hosted on the same server.

How can i achieve this what are options i.e. mandatory access control policies like apparmor, selinux or chroot. Is this a good practices and what are the current practices.

Ali Ahmad
  • 119
  • 5

1 Answers1

1

There are many options at different levels:

  • MAC, kernel & system security enforcements, as you stated. You can add Grsecurity to the list.
  • interpretor/process isolation: SuPHP, SuExec, PHP-FPM pools...: the website runs under its own user
  • system isolation: chroot, or much better, containers / namespaces (LXC, OpenVZ, Vserver, Jails, Zones)
  • Or even complete virtualisation...

It is common to work at more than one level. For example, I believe that Grsec + (SuPHP or SuExec) is quite common.

zecrazytux
  • 639
  • 3
  • 7