View Single Post
  #6   (View Single Post)  
Old 10th September 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by barti View Post
Is it a good idea to use jail or not?

To protect Nginx inside Freebsd?


I'm getting a headache.
The purpose of isolating network services is to (possibly) limit the damage of an attack upon them.

Web servers that run "server side" programs, such as CGI or PHP, may have errors in those programs which allow an attacker to submit and execute their own code -- an injection. That injected code can do anything the web server could do.

This is a reason one might choose a "jail" -- a successful attacker would be limited to accessing only those files and services available to the jail. However, this is not necessarily good enough.
For example, the web server may be permitted to contact a database server and issue any SQL operation. A successful attacker, even in a "jail" could still reach out and read or modify the databases available to it.
I can't answer jail or FreeBSD questions. But now you know why a jail may be recommended for nginx in FreeBSD. I hope your headache subsides.

----

As you came from OpenBSD, I will tell you how this is done there:
  • Services that require superuser capability (such as network servers that listen at low numbered ports) use privilege separation.
  • Services that have programmatic interfaces for "server side" programs use chroot(8) to isolate filesystems.
Both the built-in httpd(8) and nginx(8) web servers use privilege separation and are chrooted by default.

Last edited by jggimi; 10th September 2012 at 09:37 PM. Reason: added links
Reply With Quote