jails or chroot?
Jahilliya
jahilliya at gmail.com
Tue May 9 12:48:28 UTC 2006
On 5/9/06, Michael Grant <mg-fbsd3 at grant.org> wrote:
>
> I host a bunch of websites on my box. Recently I had some problems
> with file access problems with php which caused me to look into
> putting each of my clients into their own jail or chroot. I have
> roughly 100 different domains I'd need to split.
>
> Has anyone done this for more than a handfull of clients? Using
> apache and their "mass virtual hosting", 100 domains is a breeze. But
> with a jail or chroot, I need a separate apache process for each
> domain. This is going to mean hundreds of apache processes. This
> seems unreasonable.
Agreed that creation hundreds of chroots or jails would be an administrative
nightmare. File access can be solved with suexec (compile apache with suexec
enabled), this means that for each virtual host entry in your apache config
you add User and Group (check http://httpd.apache.org/docs/2.2/suexec.html or
your apache version doc set). This will make each apache process run as the
user specified in virtual host entry (not www) allowing you to restrict
their access to files with filesystem ACL's and even ugidfw, you could also
then setup process/memory restrictions in /etc/login.conf
It will also make updating pretty much as standard as it is now.
Give it a burl if it sounds like what you need.
More information about the freebsd-questions
mailing list