*BSD newbie wanting building (L)AMP server - recommendations? - BSD

This is a discussion on *BSD newbie wanting building (L)AMP server - recommendations? - BSD ; I've been a PHP/Database developer for a while and want to build a BSD web server with PHP/Apache and MySQL. The problem is I am not a BSD/Linux admin. I have successfully installed OpenBSD and got it serving up apache ...

+ Reply to Thread
Results 1 to 19 of 19

Thread: *BSD newbie wanting building (L)AMP server - recommendations?

  1. *BSD newbie wanting building (L)AMP server - recommendations?

    I've been a PHP/Database developer for a while and want to build a BSD web
    server with PHP/Apache and MySQL. The problem is I am not a BSD/Linux
    admin.

    I have successfully installed OpenBSD and got it serving up apache and
    apache SSL pages on a test box. it was actually quite easy following the
    site's directions.

    The problem lies when something happens for which there are no
    instructions - I will be somewhat lost. So I want a reccomendation for a
    BSD flavor with these goals in mind:
    - secure by default or easily secured - will be hosting web application with
    client's data
    - not too hard to set up
    - not too hard to update
    - plenty of documentation
    - plenty of how-to's
    - good support community

    Thanks for your thoughts/experience/reasoning/links!



  2. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    In comp.unix.bsd.openbsd.misc Notgiven wrote:
    > I've been a PHP/Database developer for a while and want to build a BSD
    > web server with PHP/Apache and MySQL. The problem is I am not a
    > BSD/Linux admin.
    >
    > I have successfully installed OpenBSD and got it serving up apache and
    > apache SSL pages on a test box. it was actually quite easy following
    > the site's directions.
    >
    > The problem lies when something happens for which there are no
    > instructions - I will be somewhat lost. So I want a reccomendation
    > for a BSD flavor with these goals in mind:
    > - secure by default or easily secured - will be hosting web
    > application with client's data


    OpenBSD. Though FreeBSD is not half bad, either.

    > - not too hard to set up


    FreeBSD might be easier. You've already managed this, though.

    The hardest part to get right on OpenBSD is the fact that Apache runs in
    a chroot. This is a very sensible design, and adds a lot to security -
    but it's not the most common setup.

    > - not too hard to update


    Recent OpenBSD versions aren't hard at all, if you are willing to accept
    that having a compiler on a production box is a sensible thing to do.
    (It is, but many Linux admins have other ideas.)

    I do not have sufficient experience on FreeBSD to say either way.

    > - plenty of documentation


    Almost everything in OpenBSD is well-documented. FreeBSD definitely has
    more documentation; but I can't speak for the quality.

    > - plenty of how-to's


    Install Linux. FreeBSD has very few, and OpenBSD next to none - about
    the only 'howto'-ish documents I've ever read are the Big Scary Daemons
    articles on onlamp.com.

    On the upside, the howtos typically apply to any UNIX-ish system; in
    this aspect, both OSes are about equally cursed.

    > - good support community


    OpenBSD's community can be very helpful, but *will* require you to do
    your homework. FreeBSD's community is, at least, larger.

    I've also heard rumours that FreeBSD's PHP has a memory leak. This might
    or might not be a real problem.

    (Note: there are more BSD flavours than Open and Free, but since you've
    only posted to those groups, I'll stick to those.)

    Joachim

  3. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    wrote in message
    news:451d76ea$0$46251$dbd4d001@news.wanadoo.nl...
    > In comp.unix.bsd.openbsd.misc Notgiven
    > wrote:
    >> I've been a PHP/Database developer for a while and want to build a BSD
    >> web server with PHP/Apache and MySQL. The problem is I am not a
    >> BSD/Linux admin.
    >>
    >> I have successfully installed OpenBSD and got it serving up apache and
    >> apache SSL pages on a test box. it was actually quite easy following
    >> the site's directions.
    >>
    >> The problem lies when something happens for which there are no
    >> instructions - I will be somewhat lost. So I want a reccomendation
    >> for a BSD flavor with these goals in mind:
    >> - secure by default or easily secured - will be hosting web
    >> application with client's data

    >
    > OpenBSD. Though FreeBSD is not half bad, either.
    >
    >> - not too hard to set up

    >
    > FreeBSD might be easier. You've already managed this, though.
    >
    > The hardest part to get right on OpenBSD is the fact that Apache runs in
    > a chroot. This is a very sensible design, and adds a lot to security -
    > but it's not the most common setup.
    >
    >> - not too hard to update

    >
    > Recent OpenBSD versions aren't hard at all, if you are willing to accept
    > that having a compiler on a production box is a sensible thing to do.
    > (It is, but many Linux admins have other ideas.)
    >
    > I do not have sufficient experience on FreeBSD to say either way.
    >
    >> - plenty of documentation

    >
    > Almost everything in OpenBSD is well-documented. FreeBSD definitely has
    > more documentation; but I can't speak for the quality.
    >
    >> - plenty of how-to's

    >
    > Install Linux. FreeBSD has very few, and OpenBSD next to none - about
    > the only 'howto'-ish documents I've ever read are the Big Scary Daemons
    > articles on onlamp.com.
    >
    > On the upside, the howtos typically apply to any UNIX-ish system; in
    > this aspect, both OSes are about equally cursed.
    >
    >> - good support community

    >
    > OpenBSD's community can be very helpful, but *will* require you to do
    > your homework. FreeBSD's community is, at least, larger.
    >
    > I've also heard rumours that FreeBSD's PHP has a memory leak. This might
    > or might not be a real problem.
    >
    > (Note: there are more BSD flavours than Open and Free, but since you've
    > only posted to those groups, I'll stick to those.)
    >
    > Joachim


    Joachim - many thanks for your remarks and insights. I am leaning toward
    OpenBSD simply because security is important to me and it's default install
    is made secure so if I do nothing unusal I assume it should remain fairly
    secure. As long as I can get everything I nwant running on it, I should be
    good to go.



  4. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    "Notgiven" wrote in message
    news:xLdTg.26780$tT6.3288@bignews7.bellsouth.net.. .
    > I've been a PHP/Database developer for a while and want to build a BSD web
    > server with PHP/Apache and MySQL. The problem is I am not a BSD/Linux
    > admin.
    >
    > I have successfully installed OpenBSD and got it serving up apache and
    > apache SSL pages on a test box. it was actually quite easy following the
    > site's directions.
    >
    > The problem lies when something happens for which there are no
    > instructions - I will be somewhat lost. So I want a reccomendation for a
    > BSD flavor with these goals in mind:
    > - secure by default or easily secured - will be hosting web application
    > with client's data
    > - not too hard to set up
    > - not too hard to update
    > - plenty of documentation
    > - plenty of how-to's
    > - good support community


    I use OpenBSD with MySQL and PHP with no problems at all. The online shop
    system on my site (below) is built on this combination.

    The chroot does complicate things somewhat, but you *could* choose to turn
    it off (although I'd advise you to do a lot of reading up to do so from an
    informed position).

    Steve
    http://www.fivetrees.com



  5. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    "Steve at fivetrees" wrote in message
    news:JLKdnW4cs_cvpIPYnZ2dnUVZ8tCdnZ2d@pipex.net...
    > "Notgiven" wrote in message
    > news:xLdTg.26780$tT6.3288@bignews7.bellsouth.net.. .
    >> I've been a PHP/Database developer for a while and want to build a BSD
    >> web server with PHP/Apache and MySQL. The problem is I am not a
    >> BSD/Linux admin.
    >>
    >> I have successfully installed OpenBSD and got it serving up apache and
    >> apache SSL pages on a test box. it was actually quite easy following the
    >> site's directions.
    >>
    >> The problem lies when something happens for which there are no
    >> instructions - I will be somewhat lost. So I want a reccomendation for a
    >> BSD flavor with these goals in mind:
    >> - secure by default or easily secured - will be hosting web application
    >> with client's data
    >> - not too hard to set up
    >> - not too hard to update
    >> - plenty of documentation
    >> - plenty of how-to's
    >> - good support community

    >
    > I use OpenBSD with MySQL and PHP with no problems at all. The online shop
    > system on my site (below) is built on this combination.
    >
    > The chroot does complicate things somewhat, but you *could* choose to turn
    > it off (although I'd advise you to do a lot of reading up to do so from an
    > informed position).
    >
    > Steve
    > http://www.fivetrees.com


    Steve - do you have any links to how-to's on getting PHP/MySQL and APache
    running well on OpenBSD?

    How is it more difficult running it in chroot?



  6. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    "Paul" wrote in message
    news:O6rTg.16608$GY5.1162@bignews6.bellsouth.net.. .
    >
    > Steve - do you have any links to how-to's on getting PHP/MySQL and APache
    > running well on OpenBSD?


    Erm... it's not that hard - runs pretty well out of the box for me. I
    installed the following packages:
    mysql-client
    mysql-server
    php4-core
    php4-mysql

    You'll probably need to get the specific package names from the appropriate
    page for your architecture on the OpenBSD site. Pay attention to the
    post-install messages re enabling PHP etc. Use PHP5 rather than 4 if you
    prefer.

    Once you've set a password for MySQL, add the following to rc.local:

    # MySQL startup:
    if [ -x /usr/local/bin/mysqld_safe ]; then
    echo -n ' mysqld_safe';
    /usr/local/bin/mysqld_safe --user=_mysql --skip-symlink --local-infile=0 --safe-user-create
    --skip-networking &
    fi

    Which will get the server running at startup.

    If your MySQL server is very busy, you may need to increase the maxfiles
    setting in the kernel.

    > How is it more difficult running it in chroot?


    Read the following:
    http://www.openbsd.org/faq/faq10.html#httpdchroot

    With the chroot, everything (including all CGI etc) must be within the
    Apache path. This usually means duplicating all the executables you'll need
    within the path (symlinks won't work). I'd suggest you get everything
    working without a chroot first, then migrate. Or not.

    HTH,

    Steve
    http://www.fivetrees.com



  7. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    In article ,
    Steve at fivetrees wrote:
    >"Notgiven" wrote in message
    >news:xLdTg.26780$tT6.3288@bignews7.bellsouth.net.. .
    >> I've been a PHP/Database developer for a while and want to build a BSD web
    >> server with PHP/Apache and MySQL. The problem is I am not a BSD/Linux
    >> admin.
    >>
    >> I have successfully installed OpenBSD and got it serving up apache and
    >> apache SSL pages on a test box. it was actually quite easy following the
    >> site's directions.
    >>
    >> The problem lies when something happens for which there are no
    >> instructions - I will be somewhat lost. So I want a reccomendation for a
    >> BSD flavor with these goals in mind:
    >> - secure by default or easily secured - will be hosting web application
    >> with client's data
    >> - not too hard to set up
    >> - not too hard to update
    >> - plenty of documentation
    >> - plenty of how-to's
    >> - good support community

    >
    >I use OpenBSD with MySQL and PHP with no problems at all. The online shop
    >system on my site (below) is built on this combination.
    >
    >The chroot does complicate things somewhat, but you *could* choose to turn
    >it off (although I'd advise you to do a lot of reading up to do so from an
    >informed position).
    >
    >Steve
    >http://www.fivetrees.com
    >
    >


    (L)AMP? Roast that Penguin over BAMP!
    --
    Member - Liberal International
    This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
    God Queen and country! Beware Anti-Christ rising!
    Beware Linux the Microsoft of Unixes

  8. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    "Steve at fivetrees" wrote in message
    news:IuSdnSYHJ-hJ34PYRVnyig@pipex.net...
    > "Paul" wrote in message
    > news:O6rTg.16608$GY5.1162@bignews6.bellsouth.net.. .
    >>
    >> Steve - do you have any links to how-to's on getting PHP/MySQL and APache
    >> running well on OpenBSD?

    >
    > Erm... it's not that hard - runs pretty well out of the box for me. I
    > installed the following packages:
    > mysql-client
    > mysql-server
    > php4-core
    > php4-mysql
    >
    > You'll probably need to get the specific package names from the
    > appropriate page for your architecture on the OpenBSD site. Pay attention
    > to the post-install messages re enabling PHP etc. Use PHP5 rather than 4
    > if you prefer.
    >
    > Once you've set a password for MySQL, add the following to rc.local:
    >
    > # MySQL startup:
    > if [ -x /usr/local/bin/mysqld_safe ]; then
    > echo -n ' mysqld_safe';
    > /usr/local/bin/mysqld_safe --user=_mysql --skip-symlink --local-infile=0 --safe-user-create
    > --skip-networking &
    > fi
    >
    > Which will get the server running at startup.
    >
    > If your MySQL server is very busy, you may need to increase the maxfiles
    > setting in the kernel.
    >
    >> How is it more difficult running it in chroot?

    >
    > Read the following:
    > http://www.openbsd.org/faq/faq10.html#httpdchroot
    >
    > With the chroot, everything (including all CGI etc) must be within the
    > Apache path. This usually means duplicating all the executables you'll
    > need within the path (symlinks won't work). I'd suggest you get everything
    > working without a chroot first, then migrate. Or not.
    >
    > HTH,
    >
    > Steve


    Does OpenBSD have jails like FreeBSD - would that a better solution to more
    freely run Apache/PHP/MySQL while maintaining security?



  9. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    In comp.unix.bsd.openbsd.misc Paul wrote:
    > "Steve at fivetrees" wrote in message
    > news:IuSdnSYHJ-hJ34PYRVnyig@pipex.net...
    >> "Paul" wrote in message
    >> news:O6rTg.16608$GY5.1162@bignews6.bellsouth.net.. .
    >>> Steve - do you have any links to how-to's on getting PHP/MySQL and APache
    >>> running well on OpenBSD?


    >> With the chroot, everything (including all CGI etc) must be within the
    >> Apache path. This usually means duplicating all the executables you'll
    >> need within the path (symlinks won't work). I'd suggest you get everything
    >> working without a chroot first, then migrate. Or not.

    >
    > Does OpenBSD have jails like FreeBSD - would that a better solution to more
    > freely run Apache/PHP/MySQL while maintaining security?


    OpenBSD does not have jails in the same way that FreeBSD does, but
    systrace can be used to get the same effect (any many others). Systrace,
    though, does cost in performance and is not trivial to get running
    correctly (although good tools are provided, so it's not that hard if
    you are comfortable with syscalls).

    Joachim

  10. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    wrote in message
    news:451e8957$0$20202$dbd41001@news.wanadoo.nl...
    > In comp.unix.bsd.openbsd.misc Paul wrote:
    >> "Steve at fivetrees" wrote in message
    >> news:IuSdnSYHJ-hJ34PYRVnyig@pipex.net...
    >>> "Paul" wrote in message
    >>> news:O6rTg.16608$GY5.1162@bignews6.bellsouth.net.. .
    >>>> Steve - do you have any links to how-to's on getting PHP/MySQL and
    >>>> APache
    >>>> running well on OpenBSD?

    >
    >>> With the chroot, everything (including all CGI etc) must be within the
    >>> Apache path. This usually means duplicating all the executables you'll
    >>> need within the path (symlinks won't work). I'd suggest you get
    >>> everything
    >>> working without a chroot first, then migrate. Or not.

    >>
    >> Does OpenBSD have jails like FreeBSD - would that a better solution to
    >> more
    >> freely run Apache/PHP/MySQL while maintaining security?

    >
    > OpenBSD does not have jails in the same way that FreeBSD does, but
    > systrace can be used to get the same effect (any many others). Systrace,
    > though, does cost in performance and is not trivial to get running
    > correctly (although good tools are provided, so it's not that hard if
    > you are comfortable with syscalls).
    >
    > Joachim

    Thanks. I am not confortable with syscalls since I am a newbie still. I
    wonder if FreeBSD with jails would be a better atlernative for me since it
    appears to be more secure - a hack would not involved entire system - than
    openbsd. Does that make sense to consider?



  11. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    "Paul" wrote in message
    news:SvxTg.10884$zF5.9463@bignews1.bellsouth.net.. .
    > Thanks. I am not confortable with syscalls since I am a newbie still. I
    > wonder if FreeBSD with jails would be a better atlernative for me since it
    > appears to be more secure - a hack would not involved entire system - than
    > openbsd. Does that make sense to consider?


    As always, it depends. OpenBSD is very secure anyway, with or without the
    chroot. The weakest link is likely to be the CGI (PHP in your case).

    Steve
    http://www.fivetrees.com



  12. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    According to Steve at fivetrees :
    > "Paul" wrote in message
    > news:O6rTg.16608$GY5.1162@bignews6.bellsouth.net.. .


    [ ... ]

    > > How is it more difficult running it in chroot?

    >
    > Read the following:
    > http://www.openbsd.org/faq/faq10.html#httpdchroot
    >
    > With the chroot, everything (including all CGI etc) must be within the
    > Apache path. This usually means duplicating all the executables you'll need
    > within the path (symlinks won't work). I'd suggest you get everything
    > working without a chroot first, then migrate. Or not.


    In particular, I suggest compiling as statically-linked any
    programs which the server will be running directly (eg CGI programs).
    The static linking means that you won't have to put shared libs into the
    apache tree, too.

    And -- as that URL will tell you -- any paths to files accessed
    by the programs will have to be relocated within the Apache tree, and
    their paths will have to either be modified in the source to the
    programs, or you will have to build trees within the Apache tree to make
    the programs appear to be where they are expected to be.

    But I consider these pains to be worth it, as it seriously
    limits the damage that someone can do by exploiting a newly-discovered
    security hole in the Apache program itself -- or in whatever it runs.

    Good Luck,
    DoN,
    --
    Email: | Voice (all times): (703) 938-4564
    (too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
    --- Black Holes are where God is dividing by zero ---

  13. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    Just some random comments from recent experience...

    Steve at fivetrees wrote:
    > Erm... it's not that hard - runs pretty well out of the box for me. I
    > installed the following packages:
    > mysql-client
    > mysql-server
    > php4-core
    > php4-mysql


    Adding an accelerator/cache for PHP is really worth it. I use XCache
    1.0.2 ( http://trac.lighttpd.net/xcache/ ) with PHP 5.1.x. For PHP5.0.x,
    eaccelerator ( http://sourceforge.net/projects/eaccelerator/ ) was the
    better choice (xcache doesn't work correctly with 5.0, eaccelerator
    still had problems with 5.1 when I last tried it.)

    You'll probably also need to install the php modules for pear (to build
    the cache) and mbstring.
    >
    > Once you've set a password for MySQL, add the following to rc.local:
    >
    > # MySQL startup:
    > if [ -x /usr/local/bin/mysqld_safe ]; then
    > echo -n ' mysqld_safe';
    > /usr/local/bin/mysqld_safe --user=_mysql --skip-symlink --local-infile=0
    > --safe-user-create --skip-networking &
    > fi


    As I just found out by accident there's a new mysqlmanager since 5.0.3.
    You can also use the /usr/local/share/mysql/mysql.server script to start
    and stop the server. It's probably a good idea to add something like
    this to rc.shutdown:

    if [ -x /usr/local/share/mysql/mysql.server ]; then
    /usr/local/share/mysql/mysql.server stop 2>&1
    fi

    > If your MySQL server is very busy, you may need to increase the maxfiles
    > setting in the kernel.


    I also found an explicit --open-files-limit=2048 paramter to
    mysqld_safe helpful. I'm not sure if this is still required in newer
    releases.

    Marc

  14. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    On Sat, 30 Sep 2006 18:21:07 +0100
    "Steve at fivetrees" wrote:

    > "Paul" wrote in message
    > news:SvxTg.10884$zF5.9463@bignews1.bellsouth.net.. .
    > > Thanks. I am not confortable with syscalls since I am a newbie still.
    > > I wonder if FreeBSD with jails would be a better atlernative for me
    > > since it appears to be more secure - a hack would not involved entire
    > > system - than openbsd. Does that make sense to consider?

    >
    > As always, it depends. OpenBSD is very secure anyway, with or without the
    > chroot. The weakest link is likely to be the CGI (PHP in your case).


    Indeed, with PHP and SQL (actually *anything* that takes user input
    and makes SQL) it is *very* important to treat all user input as
    potentially hostile and screen it very carefully for SQL injection tricks
    and (in the case of web front ends) embedded HTML/JavaScript.

    Provided you do that, and turn off all unnecessary services, any BSD
    or Linux or Solaris or other unix family OS should do fine.

    --
    C:>WIN | Directable Mirror Arrays
    The computer obeys and wins. | A better way to focus the sun
    You lose and Bill collects. | licences available see
    | http://www.sohara.org/

  15. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    Marc Wirth wrote:

    > Steve at fivetrees wrote:


    >> If your MySQL server is very busy, you may need to increase the maxfiles
    >> setting in the kernel.

    >
    > I also found an explicit --open-files-limit=2048 paramter to
    > mysqld_safe helpful. I'm not sure if this is still required in newer
    > releases.


    And, while we're at it, look at /etc/login.conf.

    Joachim

  16. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    In comp.unix.bsd.openbsd.misc DoN. Nichols wrote:
    > According to Steve at fivetrees :
    >> "Paul" wrote in message
    >> news:O6rTg.16608$GY5.1162@bignews6.bellsouth.net.. .


    >> > How is it more difficult running it in chroot?

    >>
    >> Read the following:
    >> http://www.openbsd.org/faq/faq10.html#httpdchroot
    >>
    >> With the chroot, everything (including all CGI etc) must be within the
    >> Apache path. This usually means duplicating all the executables you'll need
    >> within the path (symlinks won't work). I'd suggest you get everything
    >> working without a chroot first, then migrate. Or not.

    >
    > In particular, I suggest compiling as statically-linked any
    > programs which the server will be running directly (eg CGI programs).
    > The static linking means that you won't have to put shared libs into the
    > apache tree, too.


    IME, copying shared libs is easier than remembering when to recompile
    PHP because one of the libraries statically linked into it has a
    vulnerability.

    It's not like you can't automate it, after all.

    Joachim

  17. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    In comp.unix.bsd.openbsd.misc Paul wrote:
    > wrote in message
    > news:451e8957$0$20202$dbd41001@news.wanadoo.nl...
    >> In comp.unix.bsd.openbsd.misc Paul wrote:
    >>> Does OpenBSD have jails like FreeBSD - would that a better solution
    >>> to more freely run Apache/PHP/MySQL while maintaining security?

    >>
    >> OpenBSD does not have jails in the same way that FreeBSD does, but
    >> systrace can be used to get the same effect (any many others). Systrace,
    >> though, does cost in performance and is not trivial to get running
    >> correctly (although good tools are provided, so it's not that hard if
    >> you are comfortable with syscalls).
    >>

    > Thanks. I am not confortable with syscalls since I am a newbie still. I
    > wonder if FreeBSD with jails would be a better atlernative for me since it
    > appears to be more secure - a hack would not involved entire system - than
    > openbsd. Does that make sense to consider?


    I have no experience with jails, but a few points:
    1. systrace really isn't that hard
    2. there is a jail-like thingy for OpenBSD, see
    http://archives.neohapsis.com/archiv...6-05/1920.html
    3. chroot() is usually enough

    Regarding the third point, consider what happens when someone gains
    complete access to your jail - i.e., compromises the Apache process. A
    competent attacker won't be hindered much by the absence of tools in the
    jail, but still - there's no way to escalate priviliges unless you've
    done something stupid, no way to break chroot, and so on.

    A nasty DoS is possible - the default install doesn't like forkbombs,
    for instance, and other approaches like exhausting shared memory may
    also work - and you have access to both the network and whatever part of
    MySQL the web scripts have access to; but provided that some
    rate-limiting (especially on port 25 outgoing) is in place, I don't
    really see what more mischief one could do. Sure, trashing the web area
    is annoying, but it's not like a jail would prevent that.

    Joachim

  18. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    According to :
    > In comp.unix.bsd.openbsd.misc DoN. Nichols wrote:


    [ ... ]

    > > In particular, I suggest compiling as statically-linked any
    > > programs which the server will be running directly (eg CGI programs).
    > > The static linking means that you won't have to put shared libs into the
    > > apache tree, too.

    >
    > IME, copying shared libs is easier than remembering when to recompile
    > PHP because one of the libraries statically linked into it has a
    > vulnerability.


    But if you have shared libs in the chroot area, they are yet
    another thing which you have to worry about someone overwriting with a
    version which allows additional functions to piggyback upon a needed
    function. And installing a shared lib replacement somewhere else, and
    setting LD_LIBRARY_PATH to scan it before the normal library location
    could allow escalation of privilege. With staticly linked binaries, all
    you have to worry about is whether the binary itself has been
    compromised -- and some programs will load from half a dozen to perhaps
    a couple of dozen shared libs -- so there is a lot more to watch out
    for.

    > It's not like you can't automate it, after all.


    Or automate the re-compiles with proper dependencies in the
    makefile.

    Enjoy,
    DoN.

    --
    Email: | Voice (all times): (703) 938-4564
    (too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
    --- Black Holes are where God is dividing by zero ---

  19. Re: *BSD newbie wanting building (L)AMP server - recommendations?

    Really though.. OpenBSD is not that hard. Read the docs, search the
    web, ask questions, you'll sort everything out. You won't find a better
    Unix-like OS to work with.


    On Sep 30, 10:12 am, "Paul" wrote:
    > wrote in messagenews:451e8957$0$20202$dbd41001@news.wanadoo .nl...
    >
    > > In comp.unix.bsd.openbsd.misc Paul wrote:
    > >> "Steve at fivetrees" wrote in message
    > >>news:IuSdnSYHJ-hJ34PYRVnyig@pipex.net...
    > >>> "Paul" wrote in message
    > >>>news:O6rTg.16608$GY5.1162@bignews6.bellsouth.net.. .
    > >>>> Steve - do you have any links to how-to's on getting PHP/MySQL and
    > >>>> APache
    > >>>> running well on OpenBSD?

    >
    > >>> With the chroot, everything (including all CGI etc) must be within the
    > >>> Apache path. This usually means duplicating all the executables you'll
    > >>> need within the path (symlinks won't work). I'd suggest you get
    > >>> everything
    > >>> working without a chroot first, then migrate. Or not.

    >
    > >> Does OpenBSD have jails like FreeBSD - would that a better solution to
    > >> more
    > >> freely run Apache/PHP/MySQL while maintaining security?

    >
    > > OpenBSD does not have jails in the same way that FreeBSD does, but
    > > systrace can be used to get the same effect (any many others). Systrace,
    > > though, does cost in performance and is not trivial to get running
    > > correctly (although good tools are provided, so it's not that hard if
    > > you are comfortable with syscalls).

    >
    > > JoachimThanks. I am not confortable with syscalls since I am a newbie still. I

    > wonder if FreeBSD with jails would be a better atlernative for me since it
    > appears to be more secure - a hack would not involved entire system - than
    > openbsd. Does that make sense to consider?



+ Reply to Thread